Cybersecurity

 

 

https://sm.asisonline.org/Pages/Attacks-on-the-Record.aspxAttacks on the RecordGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-06-01T04:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​It was, in the opinion of some experts, a long overdue action. But it finally came. On March 15, 2018, the U.S. federal government issued sanctions against Russia for its interference in the 2016 U.S. elections and malicious cyberattacks on critical infrastructure.</p><p>"The administration is confronting and countering malign Russian cyber activity, including their attempted interference in U.S. elections, destructive cyberattacks, and intrusions targeting critical infrastructure," said U.S. Treasury Secretary Steven T. Mnuchin in a statement. "These targeted sanctions are a part of a broader effort to address the ongoing nefarious attacks emanating from Russia."</p><p>The sanctions targeted five entities and 19 individuals for their roles in these activities and prohibit U.S. persons from engaging in transactions with them. Mnuchin also said that the department intends to impose additional Countering America's Adversaries Through Sanctions Act (CAATSA) sanctions to hold Russian government officials and oligarchs accountable.</p><p>The economic penalties are an attempt to punish Russians for their role in various forms of cyberactivity, including the NotPetya attack, which the White House and the British government have attributed to the Russian military.</p><p>NotPetya "was the most destructive and costly cyberattack in history," Mnuchin said. "The attack resulted in billions of dollars in damage across Europe, Asia, and the United States, and significantly disrupted global shipping, trade, and the production of medicines. Additionally, several hospitals in the United States were unable to create electronic records for more than a week."</p><p>The sanctions were also in response to the efforts of Russian government cyber actors in targeting U.S. government entities and critical infrastructure—including energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors—since at least March 2016. </p><p>Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, says that the United States should be "very concerned" about these attacks.</p><p>"For one, they could cause prolonged electrical outages and blackouts because our electrical grid infrastructure lacks sufficient redundancy to sustain these attacks," Bilogorskiy explains. "In the worst-case scenario, cyberattacks on nuclear power plants could cause them to explode and cost human lives."</p><p>One example of a near-worst-case scenario was the recent incident targeting Schneider's Triconex controllers at Saudi Arabia's power plants. A cyberattack hit its systems, Bilogorskiy says. It was intended to cause an explosion, but an error in the attack's computer code  caused it to fail.</p><p>To educate network defenders on how they can reduce the risk of similar malicious activity in their networks, the U.S. Department of Homeland Security (DHS) and the FBI released a joint technical alert detailing Russia's campaigns to target critical infrastructure. </p><p>"DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities' networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks," the alert said. "After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to industrial control systems (ICS)."</p><p>The alert split Russia's activity into two categories for victims: intended targets and staged targets. Russia targeted peripheral organizations, such as trusted third-party suppliers with less-secure networks, that the alert calls staging targets.</p><p>"The threat actors used the staging targets' networks as pivot points and malware repositories when targeting their final intended victims," the alert explained. DHS and the FBI "judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the 'intended target.'"</p><p>Compromising these networks involved conducting reconnaissance, beginning with publicly available information on the intended targets that could be used to conduct spear phishing campaigns.</p><p>"In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information," the alert said. "As an example, the threat actors downloaded a small photo from a publicly accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background."</p><p>After obtaining information through reconnaissance, the threat actors weaponized that information to launch spear phishing campaigns against their targets that referred to control systems or process control systems. These campaigns tended to use a contract agreement theme that included the subject "AGREEMENT & Confidential," as well as PDFs labeled "document.pdf."</p><p>"The PDF was not malicious and did not contain any active code," the alert said. "The document contained a shortened URL that, when clicked, led users to a website that prompted the user for email address and password."</p><p>The phishing emails also often referenced industrial control equipment and protocols and used malicious Microsoft Word attachments—like résumés and curricula vitae for industrial control systems personnel—to entice recipients to open them.</p><p>Additionally, the hackers used watering holes to compromise the infrastructure of trusted organizations to reach their intended targets.</p><p>"Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure," the alert said. "Although these watering holes may host legitimate content developed by reputable organizations, the threat actors altered websites to contain and reference malicious content."</p><p>The threat actors were then able to collect users' credentials that would allow them to log in to their profiles elsewhere. They also used this access to compromise victims' networks where they were not using multifactor authentication.</p><p>"To maintain persistence, the threat actors created local administrator accounts within staging targets and placed malicious files within intended targets," according to the alert.</p><p>Once the attackers had gained access to their intended targets, they used that access to infiltrate workstations and servers on corporate networks that contained data on control systems within energy generation facilities. The attackers also copied profile and configuration information for accessing ICS systems. </p><p>This method of compromise is not new and has been demonstrated in cyberattacks on the corporate sector over the past few years, says Tom Patterson, chief trust officer at Unisys.</p><p>"Just as with the Target cyber breach several years ago, they first attacked supply chain partners, which are often less protected, and then used their access to compromise the actual target company," Patterson explains.</p><p>The level of access the attackers were able to gain is concerning, Patterson adds, because it could potentially give them the ability to disrupt functions of critical infrastructure, such as providing heat in the winter. </p><p>"Since many of these ICS devices are connected to corporate networks in today's enterprise, and oftentimes they are older devices built on insecure operating systems, this gives the threat actors and their political or economic masters the ability to disrupt or destroy systems at the push of a button," Patterson says.</p><p>Brian Harrell, CPP, former operations director of the Electricity Information Sharing and Analysis Center and director of critical infrastructure protection programs at the North American Electric Reliability Corporation (NERC), agrees with Patterson that these kinds of attacks are not new.</p><p>What is new, says Harrell—now president and CSO of the Cutlass Security Group—is that the United States is choosing to acknowledge and attribute the activity, publicly, to Russia. </p><p>"While attribution is often difficult, nation-state actors like Russia likely have the most interest in compromising industrial control networks, not to necessarily take anything, but to prove they can access our systems and cause us to feel unsettled," he explains. </p><p>While the U.S. government has taken the approach to name and shame, Harrell says he thinks its unlikely that the public actions will deter Russia's behavior.</p><p>"Unfortunately, the current DHS alert, legal indictments, sanctions, or public shaming will not have any effect on Russian cyber intrusions," he adds. "However, we must continue to increase pressure until they change their behavior and become a responsible member of the international community."</p><p>In the meantime, the FBI and DHS recommend that network administrators review their IP addresses, domain names, file hashes, and other signatures that were provided in their alert. The agencies also recommended adding certain IP addresses cited in the alert to their watch lists.</p><p>"Reviewing network perimeter netflow will help determine whether a network has experienced suspicious activity," according to the alert. </p><p>The two agencies also compiled a list of 28 actions for network administrators to take in response to Russia's activity, including monitoring virtual private networks for abnormal activity, deploying Web and email filters, and segmenting critical networks and control systems from business systems and networks.</p><p>"What DHS is recommending, at the end of the day, are properly built ICS networks, monitored so organizations can detect attacks and are plugged into external threat intelligence, with incident response plans and board-level strategic roadmaps," Patterson says.</p>

 

 

https://sm.asisonline.org/Pages/On-Premise-vs-the-Cloud.aspx2018-05-25T04:00:00ZOn-Premise vs the Cloud
https://sm.asisonline.org/Pages/Book-Review---Mastering-Bitcoin.aspx2018-05-01T04:00:00ZBook Review: Mastering Bitcoin
https://sm.asisonline.org/Pages/The-Problem-with-Data-.aspx2017-09-27T04:00:00ZThe Problem with Data

 

 

https://sm.asisonline.org/Pages/Attacks-on-the-Record.aspx2018-06-01T04:00:00ZAttacks on the Record
https://sm.asisonline.org/Pages/Cyber-as-Statecraft.aspx2018-05-01T04:00:00ZCyber as Statecraft
https://sm.asisonline.org/Pages/Missed-Deadline.aspx2018-03-01T05:00:00ZMissed Deadline

 

 

https://sm.asisonline.org/Pages/Attacks-on-the-Record.aspx2018-06-01T04:00:00ZAttacks on the Record
https://sm.asisonline.org/Pages/How-to-Hack-a-Human.aspx2018-01-01T05:00:00ZHow to Hack a Human
https://sm.asisonline.org/Pages/A-New-Social-World.aspx2017-12-01T05:00:00ZA New Social World

 

 

https://sm.asisonline.org/Pages/Artificial-Adversaries.aspx2018-06-01T04:00:00ZArtificial Adversaries
https://sm.asisonline.org/Pages/Cyber-as-Statecraft.aspx2018-05-01T04:00:00ZCyber as Statecraft
https://sm.asisonline.org/Pages/The-Problem-with-Bots.aspx2018-04-01T04:00:00ZThe Problem with Bots

 

 

https://sm.asisonline.org/Pages/Cybersecurity-for-Remote-Workers.aspx2018-02-12T05:00:00ZCybersecurity for Remote Workers
https://sm.asisonline.org/Pages/Mobile-Mayhem.aspx2017-10-01T04:00:00ZMobile Mayhem
https://sm.asisonline.org/Pages/AI-The-Force-Multiplier.aspx2017-09-01T04:00:00ZAI: The Force Multiplier

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Scanning-the-Schoolyard.aspxScanning the Schoolyard<p>​Relationships between students and campus law enforcement have been key to establishing an environment of safety and security at Delaware Valley School District, which encompasses 200 square miles in northeastern Pennsylvania.</p><p>"Kids have come to the police officers…and told them about potential threats that we've been able to curtail before they've happened," says Christopher Lordi, director of administrative services for the district.</p><p>About eight years ago, the rural district decided to employ its own sworn police force and hired five officers, including a chief of police. It has since added a sixth.</p><p>"Having a police force not only gives us a presence of an armed person to counteract any issues that we may have, but it also allows us to create relationships with students," Lordi says.  </p><p>The officers are a presence on the three campuses that make up the district. They may be found teaching and conducting Internet safety classes and anti-drug programs. </p><p>"Not only are they our first line of defense, but they're also relationship builders, and they create positive environments where kids will feel comfortable to come and tell them things," Lordi says.​<img src="/ASIS%20SM%20Callout%20Images/0618%20Case%20Study%20Stats%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:246px;" /> </p><p>Still, the officers and faculty can't be everywhere at once when incidents do occur, which is why the district installed a camera and video management system (VMS) about 10 years ago. </p><p>"It doesn't matter how many administrators you have, how many teachers you have, how many officers you have," Lordi notes. "They can't be everywhere at once, so the cameras allow us to be in those places when somebody can't." </p><p>As the original cameras and VMS were becoming outdated, Delaware Valley's board was supportive of purchasing a new system. The district worked with integrator Guyette Communications of Plymouth, Pennsylvania, and chose the Vicon Valerus VMS system, as well as approximately 400 cameras, also from Vicon. Installation began in March 2017 and ended just before the new school year began in August. </p><p>The cameras, the majority of which are the 3 megapixel IQeye Alliance dome model, were installed inside and outside of the district's eight buildings. The Vicon Cruiser domes with 30x optical zoom were purchased for the parking lots to better read license plate numbers. Campus police have access to a license plate database, so no license plate recognition software is needed, but Vicon does integrate with such software should customers need that feature. </p><p>In addition to feeding into a central video server at a district-wide monitoring station, each building has its own local recording capability and stores video for a set number of days. </p><p>Delaware Valley is expanding a career and technical education wing, which includes 25,000 square feet of classrooms and workspace. The school plans to install more cameras there.  </p><p>The district police force is responsible for managing the VMS, and each officer has a hardwired PC monitoring station to view video feeds. Campus police also have access to footage via iPhones purchased by the district and use them to see what's going on at their campuses. </p><p>"When we need to view something quickly our officers can go right on their iPhones and view it right from there, which is handy if you don't have the ability to get back to your computer," Lordi says. </p><p>Giving all officers access to the entire district's camera feeds was also crucial. "We did that for backup purposes," he says. "If anything were to happen on one of the campuses, all of the officers—after they secure their buildings—can go on and be the eyes and ears for our officers on those other campuses."</p><p>Soon after the cameras were installed, the new system led to the capture of a thief. In the spring of 2017, when a laptop went missing, the video was reviewed in the general time frame that the incident occurred. It revealed an employee going into an administrative office with a garbage bag, then coming back out. </p><p>"We could zoom in, and you could see that the bag was significantly larger when the employee came out," Lordi notes, adding that the old camera system would not have been clear enough to identify the culprit. The footage was turned over to local police, who apprehended the employee. That person has since resigned. </p><p>The detail captured by the cameras also helped solve an incident in the parking lot. Lordi notes that the main campus is in a high-traffic area, which can attract unwanted activity. </p><p>"We were able to pull the license plate from one person that had an incident on campus...and track the person down," Lordi explains. "It just provides another layer of security, so we know who's on the campus and what time they leave the campus."</p><p>While the district currently hands footage over to law enforcement after the fact, it's working on a memorandum of understanding with local police and hopes to establish a network that allows police to view video from the campuses live. "We're currently working on a strategy to get them involved beforehand," Lordi says. </p><p>With the combination of its police force and the camera system, Delaware Valley has seen a significant reduction in incidents on campus. </p><p>"When our officers first started we had something like 200 to 250 incidents that our administrators were dealing with; I think last year we had 36," he says. </p><p>The Valerus VMS and cameras give campus police and administrators peace of mind about their ability to solve incidents, and ultimately keep students safe. </p><p>"It allows us to feel secure knowing that it's going to be on camera if someone doesn't view or witness it live," Lordi says. "We can always view it on the cameras later."  </p><p><em>For more information: Dee Wellisch, dwellisch@vicon-security.com, www.vicon-security.com, 631.952.2288.</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Assessing-the-Safety-of-Chemical-Facilities.aspxAn Explosive Act: Assessing the Safety of Chemical Facilities<p>​Just before Hurricane Harvey made landfall on Friday, August 25, 2017, chemical manufacturer Arkema made the decision to shut down its plant in Crosby, Texas, to brace for the storm. The plant soon lost power and received almost 40 inches of rain by Monday afternoon, causing heavy flooding that inundated its backup generators. A small crew of 11 people remained on site to monitor the storm damage and the safety of the organic peroxides that were stored at the plant.</p><p>These chemicals needed to be stored at a low temperature. But after the plant's backup generators were flooded, refrigeration failed. So, the crew transferred the chemicals from their current storage in warehouses into diesel-powered refrigerated containers and continued to monitor the situation—which worsened as the rain continued to pour down.</p><p>With the water continuing to rise, Arkema was forced to make another difficult decision: evacuate the plant and the 1.5-mile radius around it.</p><p>"Arkema is limited in what it can do to address the site conditions until the storm abates," the company said in a press release. "We are monitoring the temperature of each refrigeration container remotely. At this time, while we do not believe there is any imminent danger, the potential for a chemical reaction leading to a fire and/or explosion within the site confines is real."</p><p>To reduce the threat of an explosion injuring others, Arkema worked with the U.S. Department of Homeland Security (DHS) and the State of Texas to continue to monitor the situation. They soon realized that while the chemicals were not fully igniting as they began to warm up, they were beginning to degrade. To address the threat, Arkema decided to ignite the containers the chemicals were housed in to eliminate the threat of an uncontrolled blast.</p><p> "This decision was made by Arkema Inc. in full coordination with unified command," the company said. "These measures do not pose any additional risk to the community, and both Arkema and members of the unified command believe this is the safest approach."</p><p>While the situation in Crosby was not ideal, it showed how facilities that manufacture, store, and transport chemicals in the United States are embracing a new mindset towards security and planning how to handle the worst-case scenario when it happens—whether it is a power outage or a terror attack.</p><p>One effort that's helping to spearhead this mindset is DHS's Chemical Facility Anti-Terrorism Standards (CFATS) program, which has sought to address and mitigate the threat of chemicals since its inception in 2007. </p><p> "In 2007, chemical security was fairly new and people weren't really sure what it meant," says CFATS Acting Director Amy Graydon. "We've since been able to foster this environment of chemical security."</p><p>But that environment could be in danger if Congress does not reauthorize the CFATS program, which is set to expire in January 2019. </p><p>"We think that reauthorization is the key to reducing the threat of terrorists using chemicals," Graydon explains. "We think that the program has really reduced the risks and is an important element of making the country more secure."</p><h4>CFATS Basics</h4><p>In the 2007 DHS Approp­riations Act, Congress required the agency to create regulations that established risk-based performance standards for chemical facilities that present high levels of risk. DHS was also mandated to subject these facilities to vulnerability assessments and require them to develop and implement site security plans.</p><p>To do this, DHS worked with industry to create the CFATS program—which is part of its Infrastructure Security Compliance Division (ISCD). The program identifies and regulates facilities that possess chemicals of interest at specific concentrations and quantities.</p><p>These concentrations and quantities are listed in what's referred to as Appendix A of the CFATS regulation. More than 300 chemicals are included, along with their screening threshold quantities. The chemicals are also categorized into three groups depending on the potential security threat of the substances: release, theft or diversion, and sabotage.</p><p>Facilities that meet or exceed the screening threshold quantities for chemicals of interest listed in Appendix A are required to report their possessions to DHS via a questionnaire called a Top-Screen.</p><p>ISCD then reviews that Top-Screen and notifies facilities if they are considered high risk and ranks them into Tier 1, 2, 3, or 4—with Tier 1 the highest. As of February 2018, ISCD had received Top-Screens from more than 40,000 facilities and determined that roughly 3,500 of those are high risk and must comply with CFATS.</p><p>Facilities that are tiered then must submit a Security Vulnerability Assessment and a Site Security Plan, or an Alternative Security Plan, that meets risk-based performance standards detailed in the CFATS regulation. These standards address factors such as perimeter security, access control, personnel security, and cybersecurity. The stringency of the requirements varies based on what tier a facility falls into, and facilities can create their own security plans—rather than having CFATS create a prescriptive security plan for them.</p><p>Once the plans have been submitted, ISCD inspectors perform a facilities inspection before approving the plans for implementation. </p><p>This process has proved beneficial to facility operators, says Jennifer Gibson, vice president of regulatory affairs for the National Association of Chemical Distributors.</p><p>"Those visits, while cumbersome, allowed for a lot of back and forth, getting clarity on what the agency was looking for," Gibson explains. "Usually it turned out that a facility would make changes to its plan, based on that inspection."</p><p>After inspectors approve the plans, facilities are expected to implement them. If they do not, they can be ordered to cease operations or issued a civil fine, with a maximum penalty of $33,333 per day per violation, as of February 2018.</p><p>Facilities are also required to resubmit their Top-Screen if they have a change in holdings, such as using new chemicals of interest for business processes.</p><p>"It could be that they may need some other security measures because we look at the type of chemical and its risks," Graydon says. "So, for theft and diversion, we're worried that a terrorist could be intentionally trying to either steal or divert the chemical for misuse; whereas for release, it's that the terrorist would be coming to the facility to cause a release."</p><p>During its first five years, CFATS did not approve a single facility site security plan. But since then, it has made major strides and completely eliminated its backlog to move into the compliance phase of the program. Now, approximately 140 inspectors are visiting sites based on risk—there is no mandated requirement for how often inspections occur.</p><p>"We have the compliance inspection index, and it takes into consideration a facility's tier, the number of planned measures that a facility has, and the amount of time since the last inspection," Graydon says. "So, we can get to folks in an appropriate manner." </p><h4>CFATS Changes</h4><p>After CFATS was up and running, some members of Congress and the chemical sector expressed concerns about the program. Primarily, concerns centered around the "administrative burden associated with the development of facility security plans and the pace of DHS efforts to process and approve them," according to a U.S. Government Accountability Office (GAO) report. </p><p>Congress addressed these concerns by passing the Protecting and Securing Chemical Facilities from Terrorists Attacks Act in 2014. It reauthorized the CFATS program and created an Expedited Approval Program (EAP), a voluntary option for Tier 3 and 4 facilities regulated under CFATS.</p><p>The EAP allows DHS to identify specific security measures that meet the risk-based performance standards of CFATS that facilities must implement to be compliant. </p><p>For example, release facilities would have to certify that their emergency equipment included at least one of the following: a redundant radio system that's interoperable with law enforcement and first responders, at least one backup communications system, an emergency notification system, an automated control system or process safeguards to place critical assets in a "safe and stable condition," or emergency safe-shutdown procedures.</p><p>"The EAP is expected to reduce the time and burden on smaller chemical companies, which may lack the compliance infrastructure and resources of large chemical facilities," GAO said. </p><p>CFATS implemented the EAP in June 2015. But as of April 2017, GAO found that only two organizations of 2,496 eligible facilities had used the EAP. </p><p>"Officials representing the two EAP chemical facilities told us that their companies involve small operations that store a single chemical of interest on site and do not have staff with extensive experience or expertise in chemical security," GAO reported. </p><p>Representatives from the two facilities also said they used the EAP because it helped them reduce the time and cost to prepare and submit their site security plans.</p><p>"For example, the contractor who prepared the site security plan for one of the two EAP facilities said that the facility probably saved $2,500 to $3,500 in consulting fees by using the EAP instead of a standard security plan."</p><p>Ultimately, only one of these organizations followed through with the EAP process because the other was later re-tiered and no longer considered a high-risk facility subject to CFATS.</p><p>Since the GAO report was issued, 16 facilities have used the EAP and Graydon says she is optimistic that more facilities will use the program moving forward.</p><p>"We think that only two facilities might have taken advantage of the EAP program because of where all facilities were in the process already by the time it rolled out," she adds. "Most facilities had already completed their site security plans or their alternative security programs."</p><p>Graydon's sentiments echo GAO's analysis, which found that the timing of EAP's implementation, its prescriptive nature, the lack of an authorization inspection, and a certification form requirement may have initially hindered participation in the program.</p><p>"DHS conducts in-person authorization inspections to confirm that security plans address risks under the standard process, but does not conduct them under the expedited program," GAO said. "DHS officials noted that some facilities may prefer having this inspection because it provides them useful information."</p><p>Since the EAP's rollout, CFATS has made other changes to the program that might also affect participation. For instance, DHS updated the online tool that facilities use to send data to ISCD for their Top-Screen to make it a much more streamlined process.</p><p>"We really took the opportunity to streamline and bring it up into the 21st century so we were using smart tools with logic," Graydon says. "We were able to reduce some duplicative questions, reducing the time it would take people by 50 percent—down to six hours."</p><p>This streamlining effort cascaded throughout CFATS data collection processes, dropping the time it took to complete a security vulnerability assessment from 65 hours to 2.5 hours, and site security plans from 225 hours to 20 hours.</p><p>"We were able to do that because the reauthorization had given us the stability to move forward," Graydon says. "The reauthorization gave not only industry the stability it needed to make capital investments…it gave us the opportunity to make some internal changes as well."</p><p>CFATS also launched a re-tiering effort looking at 27,000 facilities' initial Top-Screens from 2007 and 2008, and asking them to resubmit. It then re-tiered some facilities by incorporating threat and vulnerability into the overall tiering methodology, which is not public.</p><p>"We refined what we were looking at, particularly for facilities for theft and diversion," Graydon says. "We were able to incorporate some inherent vulnerability in that." For instance, Graydon gave the example of looking at the portability of chemicals and taking that into account when determining the risk level for a facility.</p><p>"It would be easier to steal a vial than a big tank; we were able to model the actual amount of the chemicals…," and include them in the tiering methodology, Graydon adds.</p><p>In a recent hearing before the U.S. House Homeland Security Subcommittee on Cybersecurity & Infrastructure Protection, Chet Thompson—president of the American Fuel and Petrochemical Manufacturers—said the re-tiering effort was an improvement on the old system.</p><p>"Folks believe risks are being better assessed, and a number of our facilities have been re-tiered," he explained. </p><p>However, Kirsten Meskill, director of corporate security for BASF Corporation, testifying on behalf of the American Chemistry Council (ACC), said that while ACC has seen a reduction in higher-risk facilities under the re-tiering, there's still a lack of transparency in the process.</p><p>"We don't know how these risk tierings were applied to the general sites," she said, adding that—from her perspective—there was no way to know whether the new method is addressing "real risks out there."</p><p>To address this, panelists at the hearing suggested that the GAO be brought in to review the new CFATS tiering methodology and issue a report on its effectiveness.​</p><h4>Future of CFATS</h4><p>Despite some complaints about lack of transparency, all the panelists at the subcommittee hearing were in favor of reauthorizing the CFATS program. </p><p>"Any lapse in the program would be a serious concern to us," said Pete Mutschler, environment, health, and safety director for CHS Inc., adding that it would be "highly disruptive to both the industry and the regulated community" if CFATS were allowed to lapse and then be reinstated.</p><p>Mutschler said he was in favor of a multiyear reauthorization for CFATS to provide certainty to the regulated community so it can make "long-term investments" in security to comply with the program.</p><p>Doug Leigh, who serves as manager of legislative affairs for the National Association of Chemical Distributors, says that his members are also in favor of a lengthy reauthorization for the CFATS program. </p><p>"The last thing we want to see is a three-month reauthorization," Leigh says. "It would be going backwards instead of going forwards."</p><p>Graydon says she is optimistic about CFATS being reauthorized by Congress, due to its track record over the past several years in improving processes and reducing risk.</p><p>"We feel that we have demonstrated that we are a smart regulatory program—that we look for efficiencies," Graydon explains. "We are able to incorporate lessons learned, and we would like permanent or long-term reauthorization to make sure we have continued stability for industry and the program to continue to make efficiencies."</p><p>As of <em>Security Management'</em>s press time, no member of Congress had introduced a bill to reauthorize the CFATS program. </p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Banks-Balk-on-Bud.aspxBanks Balk on Bud<p>​When seasoned security manager and longtime ASIS International member Brian Gouin started working as a consultant and virtual security manager for a medical marijuana production facility in Maryland, he certainly had some questions about the security challenges that the new gig might pose.  </p><p>Would external theft be a problem?  He had no experience in this sector, and dark visions of criminal cartels stormtrooping the facility to steal product occasionally crossed his mind. Luckily, that never happened.</p><p>"External theft has really not been a big problem. Surprisingly, there has not been a lot of that," says Gouin, who has spent nearly 30 years in the security industry and is currently owner of Strategic Design Services, a firm specializing in security design and project management services.</p><p>Still, the marijuana production facility did employ armed guards, because it held product that was worth at least $5 million. "That's more dollar value than 99 percent of banks in the state," Gouin explains. And since marijuana is so easy to sell, that product can be considered almost the equivalent of cash, he adds.   </p><p>But unlike external theft, internal theft was a problem. Employees sometimes helped themselves to a bit of product "to go" when leaving the facility for the day. Finding ways to screen workers on the way out was difficult. Complicating this matter is that keeping track of the on-hand marijuana supply can be a complex task. "You can't inventory it the way you inventory other products. You have to dry the plant; when you dry the plant, it loses weight," Gouin explains.  </p><p>And working with certain company employees was an unusual experience, even for a veteran security consultant well-accustomed to adjusting to different types of office cultures.  "It's so unique because of the type of person working there. Most of these people five years ago were running from the cops and making this stuff in their basement," Gouin says. "They are naturally distrusting of security."  </p><p>Overall, many of the facility's biggest security challenges stemmed from the fact that it is a nearly all-cash business. The ramifications of this are many. For instance, cash at a thriving marijuana business can accumulate quickly; but when it comes time to deposit the money earned, banks generally do not want to accept huge currency bundles, which can result in scrutiny from federal regulators, Gouin explains.</p><p>Given this, many marijuana businesses are forced to keep significant cash on hand. Some outgoing expenses, like compensation for day workers and certain bills, can be paid in cash, Gouin explains. Much of the rest can be deposited in smaller amounts that are spread out, so the bank will accept them. Of course, transiting large amounts of cash can also be risky, so the operation bought and used an armored vehicle, described by Gouin as "a small vanny-type thing."</p><p>Still, in one way the business that Gouin works for is lucky—it found a local bank that will take its money.  </p><p>Because U.S. federal law still includes marijuana on its Schedule I list of illegal substances, no large "tier one" bank will do business with cannabis companies now, says Joshua Laterman, CEO and founder, National Association of Cannabis Businesses (NACB). This is the "black letter of the law" that means that banks can be charged with crimes like money laundering if funds they have accepted from cannabis companies are mixed with other funds and enter the U.S. federal wire deposit system. This could lead to a federal indictment. </p><p>"No tier one bank enters the sector unless the law changes or some type of [exception] is put into place, like a safe harbor," Laterman says. "There is no cure, full stop."</p><p>This is a significant problem, given the growth and revenue-generating power of the cannabis industry. Going into 2018, nine states and Washington, D.C., had legalized marijuana outright; for medical purposes, marijuana is legal in 29 states and D.C. This year, at least 12 states are poised to consider marijuana legalization; Vermont already did so in January. On the whole, the industry generated $7 billion in revenue in the last 12 months, and this figure is expected to rise to $10 billion this year, according to NACB.</p><p>Given this revenue generation, some local banks (like the one working with Gouin's facility) and credit unions have tried to step in and fill in the vacuum. "It's the only show in town right now," Laterman says. These local banks often charge an extra compliance fee, and they usually just provide an account and some checks, without offering more involved services like credit cards. On the whole, these banks believe that the potential reward is worth the potential risk, and that working with local business is "in service of their mission." </p><p>"It's all very hyper-local," Laterman says. "They do it in a very personal way."</p><p>Nonetheless, these local banks usually cap the amount of deposited funds at $250,000, the limit that the Federal Deposit Insurance Corporation (FDIC) will insure. All things considered, there are not nearly enough of these smaller banks willing to accommodate all the revenue. "It's like trying to handle a two-liter soda with a Dixie cup," Laterman says.  </p><p>Across the northern border, no such problem exists. Canada has legalized marijuana for medicinal purposes throughout the country, and banks and other financial institutions have no problem working in the industry. "You're seeing investment banks, you're seeing accounting firms, and you're seeing law firms who will not do any transactions in the United States, but they are doing a lot in Canada," Laterman explains.</p><p>However, back in the United States, it is possible that there will be some movement on the legal issue in the near future. Some analysts have said that if more states continue to legalize marijuana, it will simply not be tenable for the country to have two sets of applicable law. Congress will have to act and change the banking laws to allow for an exception, so that a licensed marijuana distributor can use the banking system.</p><p>Moreover, what may help drive an effort for a solution is the U.S. government's realization that an industry generating billions in revenue without a banking and finance structure to support it could turn into a security nightmare. </p><p>"The money needs a place to be put, and there's not enough places to put it in. That's a growing public safety risk," Laterman says. California, he adds, holds some promise as a potential solution driver. As part of that state's legalization effort, officials set up a high-powered working group to address the legal issues. "It's a great effort; they are getting great people around the table," Laterman says.</p><p>He adds that NACB, which describes itself as the only self-regulatory organization (SRO) in U.S. cannabis, will continue its work of professionalizing the industry with credentialing, licensing, education, and other such programs. "We need to address the trust and information gaps, and better understand who the players are," Laterman explains. </p><p>Meanwhile, security managers who are curious about what it is like to work in the U.S. cannabis industry may want to check out The Marijuana Project, a novel published by Gouin (under the pen name Brian Laslow) that was in part inspired by his experiences in the industry. </p><p>In the book, security expert Sam Burnett, a conservative family man who runs a security program at a medical marijuana production facility, wrestles with the moral issues of working with the drug while he navigates the dangerous plot twists and turns that the thriller storyline takes him through. Although the book is fiction, the various industry issues and scenarios that the main character, a security expert, is involved with may be of educational value.</p><p>As for the real-life Gouin, who initially wondered if working in the cannabis sector would tarnish his professional reputation, he now says his experience was a positive one for his business: "It gave me another niche." And so his advice for fellow security managers who are interested in following his lead is "go for it"—as long as they do their due diligence beforehand.</p><p>"You have to understand the quirks of the industry," he says. ​</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465