National Security Shock to the SystemGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-12-01T05:00:00Z, Lilly Chapa<p>​Throughout 2018, news trickled out of the White House about the involvement of China and Russia in any number of schemes, campaigns, and infiltration into American life—influencing elections, critical infrastructure, and social media alike. One such attempt—which appears to have been successful—was the Russian infiltration of the electric grid.</p><p>A joint report from the FBI and U.S. Department of Homeland Security (DHS) described Russia’s use of compromised third-party vendors to gain access to power companies’ systems in 2016. Once inside the computers, though, the hackers modified code in the systems to record information about power grid operations. The operatives wrapped up their scouting mission by carefully covering their tracks, leaving questions as to whether malware remains on affected computer systems. The intrusion also raises concerns about what exactly the Russians were trying to accomplish—the official report is vague about what impacts, if any, the attack has had on the electric grid, or what might come next. However, DHS officials have acknowledged that the hackers reached the point where they could have taken control of operations if they had wanted to.</p><p>The FBI/DHS report recommends following common cybersecurity best practices, such as finding and eliminating malware, administrator account management, and adopting better password practices. The reality, though, is that protecting America’s 5.5 million miles of electric grid from both cyberattacks like the one Russia carried out and physical threats such as natural disasters and malicious attacks is an immense challenge. </p><p>In the wake of the Russian grid hack, the U.S. Department of Energy (DOE) has pledged to get more utilities to participate in its Cybersecurity Risk Information Sharing Program (CRISP). The program uses monitoring devices to comb through operational data and detect cyberattacks—that’s how the Russian infiltration was discovered.</p><p>Some experts believe a wider-scale look at how power companies conduct security—as well as the guidance, vendors, and equipment used to do so—is necessary to prepare for high-impact, low-frequency events on the power grid. </p><p>Mark Weatherford, senior vice president and chief cybersecurity strategist at vArmour, posed questions to Ross Johnson, CPP, senior manager of security and contingency planning at Capital Power Corporation, and Ryan Frillman, director of information security and compliance at Spire Energy, during a session at GSX 2018. </p><p>​“High-intensity, low-frequency events don't happen often, but when they do, they can kill you or your organization,” Johnson noted. “If it’s a once-in-20-years event, people say that they have 19 more years before they have to worry. It’s extremely difficult to convince people. We end up creating fictional scenarios to try to solve the problem—ones that we don’t even believe ourselves.”</p><p>While there is plenty of government guidance on best practices, Frillman pointed out that the industry needs to figure out how to balance compliance and heavy regulation—an issue with the North American Electric Reliability Corporation (NERC), where noncompliance with its mandatory reliability standards can result in hefty fines. </p><p>“On the issue of innovation, it’s a great world out there—things are moving forward at very great speed, but the problem in the electric sector is that we’re creating barriers that make it difficult for us to succeed,” Frillman explained. “Never get in your own way, and I think in that area we are.”</p><p>But innovation comes with potential vulnerabilities. Johnson noted that his organization is moving away from a preferred vendor system—which can stifle the adoption of new technology—and towards using a vendor vetting process to identify trustworthy organizations. Supply chain risk management assessments are key to adopting new vendors and technologies, he said.</p><p>“What I’d like to come up with are community prequalifying vendors,” Johnson said. “We use standards which are terrific, but the problem is it tends to keep us stuck with using old technology, and it’s difficult to get into new technology because there’s great comfort in the way we used to do things—and the security of that.”</p><p>Weatherford agreed, noting that NERC’s Critical Infrastructure Protection standard can be behind the times when it comes to technology like supervisory control and data acquisition (SCADA), which could allow critical infrastructure systems to operate in a more secure and efficient way.</p><p>“I’ve been trying to convince NERC that the current standards drafting process simply doesn’t work in an innovative environment,” Weatherford noted. “Being able to take advantage of the cloud and newer technology—most utilities are rightly very apprehensive about doing something from a technology perspective that could get them with those million-dollar-a-day fines.”</p><p>A new report published by Johns Hopkins University Applied Physics Laboratory, Resilience for Grid Security Emergencies: Opportunities for Industry-Government Collaboration, agrees with Weatherford’s premise—NERC compliance alone may not be enough to keep the industry truly prepared for an attack. The report, which advocates for the DOE and industry to jointly outline a series of emergency operations in the case of a power grid attack, notes that DOE needs to take a role in emergency response.</p><p>“Grid owners and operators are also spring-loaded to employ emergency measures the moment they are needed,” the report notes. “Indeed, the [NERC] can fine most major U.S. power companies if they fail to implement emergency actions to protect grid reliability. This robust industry preparedness begs the question: what added value can DOE emergency orders provide?”</p><p>Currently, the secretary of the DOE has the ability to issue emergency orders to the power industry during an imminent or underway attack in order to protect and restore grid reliability. However, the scope of what the secretary might require companies to do is unknown, and the report notes that companies and the government should draft basic orders based on three attack scenarios. </p><p>“Such operations might include staffing up emergency operations centers, prepositioning recovery personnel and supplies, increasing available generation to help manage grid instabilities, and taking other precautionary measures,” the report states. </p><p>The Hopkins report notes that attacks that damage large numbers of difficult-to-replace grid components could disrupt power to some regions for weeks or months. Additionally, the public declaration of a grid security emergency will spark a media frenzy—allowing attackers to further sow discord.</p><p>“Against a backdrop of fear and uncertainty, adversaries may use social media and other means to spread further disinformation and incite public panic as part of their attacks,” the report states. Adversaries may also disrupt communications systems that industry and the DOE would use to coordinate. “Industry and government partners should build on their existing array of coordination mechanisms and communications playbooks to prepare for grid security emergencies.”</p><p>And once companies enter the recovery phase to restore power, they should prepare to shift back into the imminent security phase, the report notes. Indeed, cooperation with government and between industry partners is imperative to prevent and respond to an attack on the power grid.</p><p>“We work for our companies, but they’re secondary,” Johnson said at the GSX panel. “We really work for the bulk electric system. We keep the lights on. We can’t sell power unless there’s a bulk system to sell it into, and our first responsibility as security professionals is to the larger industry.”</p><div><br></div> maladies Sanctuary the Green Light Scrutiny maladies Sanctuary Shock to the System Maladies maladies Maladies in the Water,-But-Deaths-Are-Up.aspx2018-09-26T04:00:00ZTerror Attacks are Down, But Deaths are Up

 You May Also Like... Pirates Sail the Digital Seas<p>In the late 16th century, the British Empire granted official documents called “letters of marque” to seafarers, authorizing them to attack and pillage Spanish vessels in the New World. These privateers became known as Queen Elizabeth’s Sea Dogs; among them were the famous Sir Francis Drake and Sir Walter Raleigh. These privateers were essentially granted a license to commit piracy and help England gain a foothold in new territories–even when Spain and England were not at war. But some Sea Dogs decided to turn away from their queen and seek personal gain instead. One such man, Captain Kidd, was eventually arrested and executed for his mutiny. </p><p>Sea Dogs like Captain Kidd strayed far from their original purpose of helping build up the British Empire, and instead brought embarrassment to the crown. Eirik Iverson, director of product management at Tangible Security, compares such privateers to the Chinese nationals who have been accused of stealing trade secrets from U.S. firms.</p><p>Research by U.S.-based cybersecurity firms and, most recently, charges by the U.S. Justice Department, indicate that China is funding its own cyber privateers to spy on and steal secrets from U.S. businesses. But Iverson predicts that, like the British Sea Dogs, eventually the Chinese are going to feel some pain from their own privateers. He says the hackers “go where the opportunities are, and eventually that opportunity is going to be in China.” </p><p>As the evidence shows, China is not punishing its own cybercriminals who are attacking other nations. But the U.S. government took a broad step in prosecuting Chinese cybercrime in May when, for the first time, the Justice Department brought cyber espionage charges against five nation-state actors, all members of the Chinese People’s Liberation Army (PLA). </p><p>A grand jury in the Western District of Pennsylvania brought the charges, which accuse the hackers of infiltrating the networks of six U.S. companies and stealing information “from those entities that would be useful to their competitors in China,” according to the official indictment. </p><p>Advanced Persistent Threats</p><p>In February 2013, cybersecurity firm Mandiant released a well-publicized 60-page report on a group it refers to as APT1 (Advanced Persistent Threat 1), which it had suspected for some time was a state-funded group of Chinese cyberthreat actors. The Justice Department indictment alleges that the five hackers were a part of the same unit Mandiant names in its report. </p><p>From 2004 on, Mandiant collected IP addresses, command and control information, and other important data about the hacking group. In January 2010, Mandiant released limited information in a small public report to see how the group’s cyber activity was affected.</p><p> “We put out a ton of indicators about the infrastructure, the sort of nuts and bolts of where these actors were coming from,” says Laura Gallante, manager of threat intelligence at FireEye, a firm acquired by Mandiant earlier this year. “Then what we were able to do was watch what happened from that released infrastructure for the next year.” </p><p>Gallante explains that criminal activity generated by the machines belonging to those addresses subsided, and eventually stopped. The infrastructure Mandiant made public was no longer in use. “So there was an entire shift in the IP addresses, in the infrastructure that this group was using,” she says.  </p><p>After further observation of how the group operated, Mandiant concluded that there was evidence the group was linked to the Chinese PLA. For example, much of the malicious cyber activity was coming out of the army unit’s headquarters in Shanghai. In its report, Mandiant revealed that at least 141 breaches were directly attributable to the group. Further, Mandiant determined that the Chinese government was almost certainly directly sponsoring the hackers. </p><p>“Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support,” the APT1 report stated. </p><p>State Actors</p><p>Understanding that the group behind the recent cyber espionage charges is state-funded makes the allegations substantial, says Paul Tiao, a partner at Hunton & Williams and former senior cybersecurity counselor to the FBI. “What’s different here is that these are actually Chinese government employees. It’s the implications of the charges that are really damaging, as opposed to the nature of the charges themselves,” he notes. </p><p>The 56-page indictment outlines in detail the alleged cyber theft carried out by Chinese hackers against six U.S. companies: Alcoa, U.S. Steel, Westinghouse, Solar World AG, Allegheny Technologies Inc., and the United Steel Workers. The indictment brings 31 counts in total, including conspiring to commit computer fraud, accessing a computer without authorization for the purpose of commercial advantage and private financial gain, damaging computers through the transmission of code and commands, aggravated identity theft, economic espionage, and theft of trade secrets.</p><p>The charges brought by the Justice Department are historic, but in some ways not surprising, as the White House has been ramping up efforts to combat cyber espionage over the past two years. The 2013 National Intelligence Estimate revealed that China and Russia were the most aggressive nation-states going after U.S. intellectual property and other sensitive information via cyber espionage. “Russia and China remain the most capable and persistent intelligence threats and are aggressive practitioners of economic espionage against the United States,” the report stated. “Countering such foreign intelligence threats is a top priority for the Intelligence Community for the year ahead.” </p><p>Tiao explains that there have been many criminal cases involving Chinese nationals and trade theft. The Computer Crimes and Intellectual Property Section (CCIPS) of the Justice Department investigates and prosecutes cybercrime cases, but these usually do not involve nation-state hackers. “They’re private actors; they’re individuals either acting for themselves or for criminal organizations or for hacker organizations, and they read like these indictments do,” he says.</p><p>The companies that were targeted are large, but Tiao, who formerly served as a federal prosecutor in the cyberspace unit, says he handled cases on much smaller scales, and believes the U.S. government wants to protect organizations of all sizes. “I’m hoping that the public doesn’t think that that U.S. government only goes after the biggest hackers,” he notes. </p><p>The Justice Department made its intentions clear in its official announcement of the charges, stating that it intends to prosecute any cybercrime against U.S. critical infrastructure. “With our unique criminal and national security authorities, we will continue to use all legal tools at our disposal to counter cyber espionage from all sources,” FBI Director James Comey said in a joint statement with Attorney General Eric Holder and other U.S. officials. </p><p>Critical infrastructure. Experts say the companies targeted by the Chinese hackers are noteworthy because each business is considered to be critical infrastructure. “This is about as opposite as you can get from the Target and Neiman Marcus and retail store hackings,” says Craig Newman, managing partner at Richards Kibbe & Orbe LLP. “This is more aimed, clearly, at sabotaging U.S. companies and undermining competition in a free-market system. These [attacks] were meant to go to the heart of competition and create an unlevel playing field when it comes to commercial transactions.” </p><p>That undermining of the competition is apparent, for example, in the SolarWorld AG case outlined in the indictment. The Oregon-based company was “rapidly losing its market share to Chinese competitors that were systematically pricing exports well below production costs; at or around the same time, members of the conspiracy stole cost and pricing information from the Oregon producer,” the indictment states. </p><p>In the Westinghouse case, the Pennsylvania nuclear power company was negotiating the construction of four power plants in China when hackers stole data. The information included “proprietary and confidential technical and design specifications for pipes, pipe supports, and pipe routing for those nuclear power plants that would enable any competitor looking to build a similar plant to save on research and development costs in the development of such designs.” </p><p>In both instances, the Justice Department says national security, not just competitive advantage, is a concern because hackers stole “sensitive, internal communications that would provide a competitor, or adversary in litigation, with insight into the strategy and vulnerabilities of the American entity.”</p><p>Newman points out that there are critical Chinese-U.S. business relationships that drive the economies of both nations, making the diplomatic consequences of the case a significant factor. “The United States and China will probably do their best to minimize the commercial consequences, but at the same time the U.S. government is making clear that it’s not going to stand for this sort of widespread hacking, especially against companies that are so important to America’s critical infrastructure,” he notes.  </p><p>Sponsorship. According to Lance James, head of cyber intelligence at Deloitte, nation-state threat actors don’t necessarily have a modus operandi, so businesses across all verticals should be vigilant about protecting against potential attacks. “In some cases, such as APT1, the motive is to seize intellectual property for financial gain, though unlike other forms of financial crime, the financial interest is presumably tied to overall global economic standing and trade deficits,” he notes. </p><p>In other cases, the nation-state actors could be operating under an ideological agenda, or trying to launch “kinetic warfare” with denial of service attacks or other tactics designed to shut down infrastructure. </p><p>Gallante echoes this sentiment, noting that the nation-state actors often want to find out how to build the program that made the plane–not just obtain the blueprints for the plane. “It’s the broader understanding, the business know-how that makes U.S. and global businesses so much more competitive” that the hackers are after, she explains. </p><p>As the APT1 report demonstrates, the 141 companies hacked by the Chinese group represent 20 different industry verticals, but Gallante adds that “there are certain sectors…aerospace, manufacturing, pharmaceuticals, clean energy, energy in general, high-tech, that have a broad targeting profile” that attract the Chinese hacking groups. </p><p>Network Defense</p><p>In the case of the six U.S. companies that were breached, experts agree it is unlikely the suspects will ever see the inside of a U.S. courtroom. But the indictment should serve as a wake-up call for companies wanting to protect their intellectual property and other assets. “A lot of folks don’t think they’re the target,” says Iverson of Tangible Security. “This indictment…helps to manage the denial that’s out there, and instills a sense of vigilance that is absolutely needed,” he explains, adding that U.S. companies should not look at this case as an indication that the U.S. government is going to solve all their cybersecurity issues for them.  </p><p>Still, the message sent by the U.S. government that it intends to help businesses with cases involving cyber theft is an effective one, says Tiao. “I think it does send a strong message and it does create some level of deterrence, even if those people are never actually brought into court.” </p><p>Iverson says that employing reliable security architecture is the basis of a sound security program, from the basics, like firewalls and signature-based detection, up to more advanced offerings, like sandboxing, vulnerability scanning, and penetration testing. With penetration testing, skilled network professionals are hired to essentially breach an enterprise’s defenses to find out where the holes exist. “Face them in the practice yard, rather than in the battlefield, where the Chinese make real theft and deliver real harm,” says Iverson. </p><p>James says starting with the basics is key. “Know your environment, your network, and what assets you need to protect,” he says. “What secrets need to be protected, and where are they? How are they used, and are they stored securely?” </p><p>He says that once an organization has established those answers, risk management controls can be applied. For example, companies can physically segment network servers and apply stricter controls on e-mails and virtual private networks.  </p><p>Education. Gallante notes that user education cannot be overstressed for potentially protecting an organization against a full-scale attack. An attacker can gain a foothold in the network by infiltrating the account of a single employee. </p><p>The recent charges by the Justice Department reveal just how successful this technique can be–several attacks outlined in the indictment began with spear phishing e-mails. Such messages are disguised to appear as if they come from a legitimate source, and trick the recipient into clicking on a URL or downloading a document that contains malicious content. </p><p>In one case outlined in the indictment, 20 employees of U.S. Steel received spear phishing e-mails from one of the attackers, who disguised himself as the company’s chief executive. In another case, the hacker purportedly “attached a file disguised as an agenda for Alcoa’s annual shareholders meeting, which, once opened, would install malware on the recipients’ computers.”</p><p>Once the malware is downloaded to the user’s machine, the hackers have an entryway into the network. They can then move through the rest of the company’s infrastructure and do damage, often remaining undetected for long periods of time.  </p><p>Gallante says a particularly successful phishing e-mail for attackers is one in which the hackers purport to be the organization’s IT department and prompt the recipient to change his or her password in fields contained within the message. She says this type of e-mail has tricked employees at all levels of organizations, from the CEO down. </p><p>“Over 90 percent of the compromises that we see start with a phishing e-mail,” Gallante adds. </p><p>Companies should be vigilant about training their employees to be on their guard against such e-mails and always think twice before clicking on any links or downloading attachments coming from a source that’s possibly unknown.  </p><p>Information sharing. Any amount of intelligence provided by an organization that’s suffered a breach can be useful in preventing future attacks by the same entity with the same toolkit, says James. “It is critical that information-sharing exists. We run up against the challenge of over-classification when it comes to ‘national security’ issues, and this can hinder the sharing flow,” he notes.</p><p>James says focusing on remediation and minimizing impact when actors have infiltrated one’s network is important, but taking that extra step to share threat intelligence is helpful to other organizations.  </p><p>But when it comes to combating cyber incidents, industry operators involved in threat intelligence “have a responsibility to respect the limits of our reach when it comes to nation-state activities,” James says. </p><p>James further notes that getting law enforcement involved immediately is crucial when it comes to state-sponsored activity, and may even help prevent future escalation internationally between nations. “It is not always wise to expose such actors publicly without this coordination,” he says.</p> GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Quiet Threat: Fighting Industrial Espionage in America<p><span style="color:#ff0000;"><strong><em>****</em></strong></span><strong><em>* The Quiet Threat: Fighting Industrial Espionage in America, 2nd Edition. By Ronald L. Mendell. Charles C. Thomas Publishers, <a title=";">;</a> 272 pages; $43.95.</em></strong></p><p>As this book explains, colleges are adding intelligence courses to business and security curricula at an increasing rate. They are needed because as companies outsource technology, they open avenues for the criminal element or the competition to intercept information. This second edition updates its treatment of the topic with additions on tradecraft of the industrial spy and data mining of business information.</p><p>Ronald Mendell explains governmental spying and how it differs from industrial espionage, with the latter being the primary focus of this work. He also discusses how espionage has in large part evolved from high-tech gadgetry of the Cold War to business-on-business cyberespionage and social engineering. He completes the explanation with a discussion of the espionage process and the players involved, who can include university researchers, suppliers, contractors, and others connected to the finished product.</p><p>Each chapter explains a particular aspect of espionage. A historical component is included to further define its relevance and how it has morphed into what it is today. He discusses what one would seek, for example, by visiting an Ironworks in 1861 versus what one would seek at a ma­jor defense contractor in 1993 and how the information would be accumulated and used.</p><p>Mendell explains that an adversary is as likely to show up on a shop floor during a tour as to attack through cyberspace. He does a good job of defining intellectual property versus a trade secret, and he notes that how they are defined in court is often a matter of how they are protected. He emphasizes that security awareness is important regardless of company politics or position.</p><p>This work was informative and engaging in its presentation, aided by graphs, references, and suggestions for further reading. It would be useful as an upper level university text, certification requirement, or general knowledge reference for a security practitioner.</p><hr /> <span style="color:#800000;"><strong>Reviewer:</strong></span> William Eardley, IV, has 26 years of experience in security and corrections. He is a member of ASIS International.GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Explosive Act: Assessing the Safety of Chemical Facilities<p>​Just before Hurricane Harvey made landfall on Friday, August 25, 2017, chemical manufacturer Arkema made the decision to shut down its plant in Crosby, Texas, to brace for the storm. The plant soon lost power and received almost 40 inches of rain by Monday afternoon, causing heavy flooding that inundated its backup generators. A small crew of 11 people remained on site to monitor the storm damage and the safety of the organic peroxides that were stored at the plant.</p><p>These chemicals needed to be stored at a low temperature. But after the plant's backup generators were flooded, refrigeration failed. So, the crew transferred the chemicals from their current storage in warehouses into diesel-powered refrigerated containers and continued to monitor the situation—which worsened as the rain continued to pour down.</p><p>With the water continuing to rise, Arkema was forced to make another difficult decision: evacuate the plant and the 1.5-mile radius around it.</p><p>"Arkema is limited in what it can do to address the site conditions until the storm abates," the company said in a press release. "We are monitoring the temperature of each refrigeration container remotely. At this time, while we do not believe there is any imminent danger, the potential for a chemical reaction leading to a fire and/or explosion within the site confines is real."</p><p>To reduce the threat of an explosion injuring others, Arkema worked with the U.S. Department of Homeland Security (DHS) and the State of Texas to continue to monitor the situation. They soon realized that while the chemicals were not fully igniting as they began to warm up, they were beginning to degrade. To address the threat, Arkema decided to ignite the containers the chemicals were housed in to eliminate the threat of an uncontrolled blast.</p><p> "This decision was made by Arkema Inc. in full coordination with unified command," the company said. "These measures do not pose any additional risk to the community, and both Arkema and members of the unified command believe this is the safest approach."</p><p>While the situation in Crosby was not ideal, it showed how facilities that manufacture, store, and transport chemicals in the United States are embracing a new mindset towards security and planning how to handle the worst-case scenario when it happens—whether it is a power outage or a terror attack.</p><p>One effort that's helping to spearhead this mindset is DHS's Chemical Facility Anti-Terrorism Standards (CFATS) program, which has sought to address and mitigate the threat of chemicals since its inception in 2007. </p><p> "In 2007, chemical security was fairly new and people weren't really sure what it meant," says CFATS Acting Director Amy Graydon. "We've since been able to foster this environment of chemical security."</p><p>But that environment could be in danger if Congress does not reauthorize the CFATS program, which is set to expire in January 2019. </p><p>"We think that reauthorization is the key to reducing the threat of terrorists using chemicals," Graydon explains. "We think that the program has really reduced the risks and is an important element of making the country more secure."</p><h4>CFATS Basics</h4><p>In the 2007 DHS Approp­riations Act, Congress required the agency to create regulations that established risk-based performance standards for chemical facilities that present high levels of risk. DHS was also mandated to subject these facilities to vulnerability assessments and require them to develop and implement site security plans.</p><p>To do this, DHS worked with industry to create the CFATS program—which is part of its Infrastructure Security Compliance Division (ISCD). The program identifies and regulates facilities that possess chemicals of interest at specific concentrations and quantities.</p><p>These concentrations and quantities are listed in what's referred to as Appendix A of the CFATS regulation. More than 300 chemicals are included, along with their screening threshold quantities. The chemicals are also categorized into three groups depending on the potential security threat of the substances: release, theft or diversion, and sabotage.</p><p>Facilities that meet or exceed the screening threshold quantities for chemicals of interest listed in Appendix A are required to report their possessions to DHS via a questionnaire called a Top-Screen.</p><p>ISCD then reviews that Top-Screen and notifies facilities if they are considered high risk and ranks them into Tier 1, 2, 3, or 4—with Tier 1 the highest. As of February 2018, ISCD had received Top-Screens from more than 40,000 facilities and determined that roughly 3,500 of those are high risk and must comply with CFATS.</p><p>Facilities that are tiered then must submit a Security Vulnerability Assessment and a Site Security Plan, or an Alternative Security Plan, that meets risk-based performance standards detailed in the CFATS regulation. These standards address factors such as perimeter security, access control, personnel security, and cybersecurity. The stringency of the requirements varies based on what tier a facility falls into, and facilities can create their own security plans—rather than having CFATS create a prescriptive security plan for them.</p><p>Once the plans have been submitted, ISCD inspectors perform a facilities inspection before approving the plans for implementation. </p><p>This process has proved beneficial to facility operators, says Jennifer Gibson, vice president of regulatory affairs for the National Association of Chemical Distributors.</p><p>"Those visits, while cumbersome, allowed for a lot of back and forth, getting clarity on what the agency was looking for," Gibson explains. "Usually it turned out that a facility would make changes to its plan, based on that inspection."</p><p>After inspectors approve the plans, facilities are expected to implement them. If they do not, they can be ordered to cease operations or issued a civil fine, with a maximum penalty of $33,333 per day per violation, as of February 2018.</p><p>Facilities are also required to resubmit their Top-Screen if they have a change in holdings, such as using new chemicals of interest for business processes.</p><p>"It could be that they may need some other security measures because we look at the type of chemical and its risks," Graydon says. "So, for theft and diversion, we're worried that a terrorist could be intentionally trying to either steal or divert the chemical for misuse; whereas for release, it's that the terrorist would be coming to the facility to cause a release."</p><p>During its first five years, CFATS did not approve a single facility site security plan. But since then, it has made major strides and completely eliminated its backlog to move into the compliance phase of the program. Now, approximately 140 inspectors are visiting sites based on risk—there is no mandated requirement for how often inspections occur.</p><p>"We have the compliance inspection index, and it takes into consideration a facility's tier, the number of planned measures that a facility has, and the amount of time since the last inspection," Graydon says. "So, we can get to folks in an appropriate manner." </p><h4>CFATS Changes</h4><p>After CFATS was up and running, some members of Congress and the chemical sector expressed concerns about the program. Primarily, concerns centered around the "administrative burden associated with the development of facility security plans and the pace of DHS efforts to process and approve them," according to a U.S. Government Accountability Office (GAO) report. </p><p>Congress addressed these concerns by passing the Protecting and Securing Chemical Facilities from Terrorists Attacks Act in 2014. It reauthorized the CFATS program and created an Expedited Approval Program (EAP), a voluntary option for Tier 3 and 4 facilities regulated under CFATS.</p><p>The EAP allows DHS to identify specific security measures that meet the risk-based performance standards of CFATS that facilities must implement to be compliant. </p><p>For example, release facilities would have to certify that their emergency equipment included at least one of the following: a redundant radio system that's interoperable with law enforcement and first responders, at least one backup communications system, an emergency notification system, an automated control system or process safeguards to place critical assets in a "safe and stable condition," or emergency safe-shutdown procedures.</p><p>"The EAP is expected to reduce the time and burden on smaller chemical companies, which may lack the compliance infrastructure and resources of large chemical facilities," GAO said. </p><p>CFATS implemented the EAP in June 2015. But as of April 2017, GAO found that only two organizations of 2,496 eligible facilities had used the EAP. </p><p>"Officials representing the two EAP chemical facilities told us that their companies involve small operations that store a single chemical of interest on site and do not have staff with extensive experience or expertise in chemical security," GAO reported. </p><p>Representatives from the two facilities also said they used the EAP because it helped them reduce the time and cost to prepare and submit their site security plans.</p><p>"For example, the contractor who prepared the site security plan for one of the two EAP facilities said that the facility probably saved $2,500 to $3,500 in consulting fees by using the EAP instead of a standard security plan."</p><p>Ultimately, only one of these organizations followed through with the EAP process because the other was later re-tiered and no longer considered a high-risk facility subject to CFATS.</p><p>Since the GAO report was issued, 16 facilities have used the EAP and Graydon says she is optimistic that more facilities will use the program moving forward.</p><p>"We think that only two facilities might have taken advantage of the EAP program because of where all facilities were in the process already by the time it rolled out," she adds. "Most facilities had already completed their site security plans or their alternative security programs."</p><p>Graydon's sentiments echo GAO's analysis, which found that the timing of EAP's implementation, its prescriptive nature, the lack of an authorization inspection, and a certification form requirement may have initially hindered participation in the program.</p><p>"DHS conducts in-person authorization inspections to confirm that security plans address risks under the standard process, but does not conduct them under the expedited program," GAO said. "DHS officials noted that some facilities may prefer having this inspection because it provides them useful information."</p><p>Since the EAP's rollout, CFATS has made other changes to the program that might also affect participation. For instance, DHS updated the online tool that facilities use to send data to ISCD for their Top-Screen to make it a much more streamlined process.</p><p>"We really took the opportunity to streamline and bring it up into the 21st century so we were using smart tools with logic," Graydon says. "We were able to reduce some duplicative questions, reducing the time it would take people by 50 percent—down to six hours."</p><p>This streamlining effort cascaded throughout CFATS data collection processes, dropping the time it took to complete a security vulnerability assessment from 65 hours to 2.5 hours, and site security plans from 225 hours to 20 hours.</p><p>"We were able to do that because the reauthorization had given us the stability to move forward," Graydon says. "The reauthorization gave not only industry the stability it needed to make capital investments…it gave us the opportunity to make some internal changes as well."</p><p>CFATS also launched a re-tiering effort looking at 27,000 facilities' initial Top-Screens from 2007 and 2008, and asking them to resubmit. It then re-tiered some facilities by incorporating threat and vulnerability into the overall tiering methodology, which is not public.</p><p>"We refined what we were looking at, particularly for facilities for theft and diversion," Graydon says. "We were able to incorporate some inherent vulnerability in that." For instance, Graydon gave the example of looking at the portability of chemicals and taking that into account when determining the risk level for a facility.</p><p>"It would be easier to steal a vial than a big tank; we were able to model the actual amount of the chemicals…," and include them in the tiering methodology, Graydon adds.</p><p>In a recent hearing before the U.S. House Homeland Security Subcommittee on Cybersecurity & Infrastructure Protection, Chet Thompson—president of the American Fuel and Petrochemical Manufacturers—said the re-tiering effort was an improvement on the old system.</p><p>"Folks believe risks are being better assessed, and a number of our facilities have been re-tiered," he explained. </p><p>However, Kirsten Meskill, director of corporate security for BASF Corporation, testifying on behalf of the American Chemistry Council (ACC), said that while ACC has seen a reduction in higher-risk facilities under the re-tiering, there's still a lack of transparency in the process.</p><p>"We don't know how these risk tierings were applied to the general sites," she said, adding that—from her perspective—there was no way to know whether the new method is addressing "real risks out there."</p><p>To address this, panelists at the hearing suggested that the GAO be brought in to review the new CFATS tiering methodology and issue a report on its effectiveness.​</p><h4>Future of CFATS</h4><p>Despite some complaints about lack of transparency, all the panelists at the subcommittee hearing were in favor of reauthorizing the CFATS program. </p><p>"Any lapse in the program would be a serious concern to us," said Pete Mutschler, environment, health, and safety director for CHS Inc., adding that it would be "highly disruptive to both the industry and the regulated community" if CFATS were allowed to lapse and then be reinstated.</p><p>Mutschler said he was in favor of a multiyear reauthorization for CFATS to provide certainty to the regulated community so it can make "long-term investments" in security to comply with the program.</p><p>Doug Leigh, who serves as manager of legislative affairs for the National Association of Chemical Distributors, says that his members are also in favor of a lengthy reauthorization for the CFATS program. </p><p>"The last thing we want to see is a three-month reauthorization," Leigh says. "It would be going backwards instead of going forwards."</p><p>Graydon says she is optimistic about CFATS being reauthorized by Congress, due to its track record over the past several years in improving processes and reducing risk.</p><p>"We feel that we have demonstrated that we are a smart regulatory program—that we look for efficiencies," Graydon explains. "We are able to incorporate lessons learned, and we would like permanent or long-term reauthorization to make sure we have continued stability for industry and the program to continue to make efficiencies."</p><p>As of <em>Security Management'</em>s press time, no member of Congress had introduced a bill to reauthorize the CFATS program. </p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465