CISA CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY CHEMICAL FACILITY
CISA | CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY CHEMICAL FACILITY ANTITERRORISM STANDARDS (CFATS) Rodney Lockett August 5, 2019
Why Chemical Facility Security? We face a persistent and evolving threat A successful attack on a chemical facility could potentially cause a significant number of deaths and injuries Death T oll Fertilize in West, Texas , r Explo sion Ris es to 15 NPR Subway Bombings – London , April 2 3, 2013 Ammonium Nitrate – Texas Certain chemical facilities possess materials that could be stolen or diverted and used. Police Block Scene of Attack – France for terrorist activities French Authoritie s Hold Suspect in Beheading and Exp losion at Chemical Plant NY Times, June 26 , 2015 n Blasts i s u B d an Subway ill at Least 3, 72015 K ly 8 London NY Times, Ju Chlorine-Tinged Smoke from Detonated Bomb – Iraq acks, t t A e in Chlor e r o port M t Offensive. March 16, 2015 e R s d i rs, Kur Reute s Tikr e s u a Iraq P Rodney Lockett August 5, 2019 11
Ensuring Chemical Facility Security Statutory Authority In December 2006, Congress authorized DHS to regulate security at “high-risk” chemical facilities The Department developed the Chemical Facility Anti-Terrorism Standards (CFATS), 6 CFR Part 27, to implement this authority In December 2014, Congress extended the Department’s authority through the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 - 6 U. S. Code Chapter 1, Subchapter XVI: Chemical Facility Anti-Terrorism Standards (CFATS) In January 2019, CFATS received a 15 -month extension to its current authorization Rodney Lockett August 5, 2019 12
The CFATS Regulation The CFATS program identifies and regulates high-risk chemical facilities to ensure they implement appropriate security measures to reduce the risk of a terrorist attack associated with more than 300 chemicals of interest (COI). If held in specified quantities and concentrations, these chemicals must be reported to DHS. Facilities that store, manufacture, or distribute COI at or above screening threshold quantities (STQ) are required to comply with the CFATS standards. Ø CFATS follows a risk-based approach, allowing DHS to focus on high-risk chemical facilities in accordance with their specific level of risk Rodney Lockett August 5, 2019 13
Essentials of the CFATS Program Facilities in possession of Chemicals of Interest at or above the screening threshold quantities and concentration must submit a risk assessment DHS uses information submitted through the online risk assessment (Top-Screen) to determine if a facility is high-risk / covered Covered facilities are placed in one of four tiers Tier one represents the highest risk Covered facilities are required to develop and implement security plans that meet applicable risk -based performance standards (RBPS) Chemical Security Inspectors assigned to all 50 States and U. S. territories conduct inspections, assist with compliance, and perform outreach Rodney Lockett August 5, 2019 14
The CFATS Process Facility may be tiered in or drop out If the facility receives a tier… Submit Top-Screen Receive a Tier (1 -4) or be deemed not high-risk Provide a Security Vulnerability Assessment (SVA)/Complete Site Security Plan (SSP) or Alternative Security Program (ASP) All facilities with COI Receive Authorization and an Authorization Inspection Receive Approval of the SSP/ASP Implement Planned Measures and Undergo Regular Compliance Inspections High-risk facilities DHS provides compliance assistance upon request at any stage of this process More than 150 Chemical Security Inspectors are available for support across the country Rodney Lockett August 5, 2019 15
CFATS Universe Identifying high-risk chemical facilities Hospitals and Clinics “Appendix A” – a list of 300+ chemicals of interest (COI) at specific threshold quantities and concentrations that require reporting to the Department Wineries Correctional Facilities Chemical Facilities Come in All Shapes and Sizes Chemical Manufacturing Oil Refineries Food Processing Wineries Colleges and Universities Rodney Lockett Farm Cooperatives August 5, 2019 16
Industries with Facilities Regulated by CFATS regulates facilities in various industries, including: Academia (College & Universities) Aerial Sprayers (Non-Fertilizer) Breweries Cold Chain/Refrigeration Energy Utilities Fisheries and Hatcheries Food Processors and Co-Ops Healthcare (Hospitals & Providers) Laboratories NH 3 CI AN H 202 Metal Service and Metal Merchants Mining Motor Vehicle Parts Manufacturing Paints/Coatings Petrochemical Manufacturing Petroleum Refining/Oil Drilling Plastics Pulp and Paper Race Tracks Retail Storage and Distribution Semiconductors Water Parks, Pools, and Filtration Wineries Rodney Lockett August 5, 2019 17
CFATS National Footprint Number of Facilities, by Region 0 -200 201 -400 401 -600 600+ Region 10 Region 8 Region 9 - Hawaii (Region 9) - Guam (Region 9) Region 5 Region 7 Region 4 Region 6 Region 1 Region 2 Region 3 Puerto Rico (Region 2) Rodney Lockett August 5, 2019 18
Region VII Snapshot Region VII includes: 1 Chief of Regulatory Compliance 1 Supervisory Chemical Security Inspectors 1 Senior Chemical Security Inspectors 5 Chemical Security Inspectors 1 Regulatory Analyst Inspectors visit regulated facilities to ensure that they meet the security requirements set by the CFATS program. They are actively involved in local community outreach, local first responder meetings, and annual industry conferences with national and international organizations. More than 150 Chemical Security Inspectors assigned to all 50 States and U. S. territories conduct inspections, assist with compliance, and perform outreach Rodney Lockett August 5, 2019 19
Program Status: Covered Facilities Tier Total Currently Covered Facilities Tier Region VII Currently Covered Facilities 1 168 1 12 2 77 2 8 3 1, 375 3 59 4 1, 700 4 118 Total 3, 320 Total 197 August 5, 2019 Rodney Lockett August 5, 2019 20
Risk-Based Performance Standards RBPS-13 Elevated Threats Rather than prescribe specific facility security measures, DHS developed 18 risk-based performance standards (RBPS) Covered facilities are required to develop and implement security plans that meet applicable RBPS-14 Specific Threats, Vulnerabilities, or Risks RBPS-8 Cyber Compliance with the RBPS will be tailored to fit each facility’s circumstances, including tier level, security issues, and RBPS-1 Restrict Area Perimeter physical and operating environments Rodney Lockett August 5, 2019 21
RBPS – 9 Response Develop and exercise an emergency plan to respond to security incidents internally and with assistance of local law enforcement and first responders. Response focuses on the planning to mitigate, respond, and report incidents in a timely manner between facility personnel, first responders, and law enforcement Local Emergency Planning Committees (LEPC) may be contacted by local Chemical Security Inspectors to verify that facilities have developed plans for emergency notification, response, evacuation, etc. IP Gateway (EO Portal) – A DHS platform to share and coordinate CFATS information among Federal, State, local, territorial, and tribal (SLTT) agencies partners. Rodney Lockett August 5, 2019 22
Security Components and Activities What are some possible facility security components related to RBPS-9? What are some activities a facility may want to include in its Crisis Management Plan? Crisis Management Plan Contingency Plans Communication Systems Continuity of Operations Plan Process Safeguards Emergency Response Outreach Post-incident Security Evacuation Notification Control Re-entry Security Response Rodney Lockett August 5, 2019 23
The Role of First Responders Collaboration between CFATS covered facilities and first responders is critical to ensuring a secure and resilient community. Compliance with the RBPS is beneficial to the facility and the emergency response community, for example: – Detect, Deter, and Delay (RBPS 4) – Response (RBPS 9) – Training (RBPS 11) – Reporting of significant security incidents (RBPS 15 & 16) Facilities are encouraged to coordinate with the emergency response community as they develop these aspects of their SSPs / ASPs. The first time local emergency responders visit a facility should not be at the time of an incident. Rodney Lockett August 5, 2019 24
CFATS and First Responders The work that high-risk chemical facilities do with first responders and law enforcement to ensure emergency response measures are in place prior to an incident bolsters our nation’s security. DHS is actively seeking Chemical Facilities of Interest and spreading the word on CFATS to promote chemical security awareness and reduce the potential risk of an incident. Rodney Lockett August 5, 2019 25
Spreading the Word DHS continues to expand outreach efforts and reach deeper into communities Increasing Federal, state, local, tribal, and territorial interagency coordination Communicating directly with facilities and corporations Participating in industry association meetings and conferences Working with communities and first responders Rodney Lockett August 5, 2019 26
Chemical Facility Security & Safety Working Group Available Resources https: //www. osha. gov/chemicalexecutiveorder/ Rodney Lockett August 5, 2019 27
Chemical Sector Training Resources DHS has developed a series of Web-based security awareness training courses for the critical infrastructure community and the Chemical Sector Advance your security awareness by completing training courses: How to Counter Insider Threats How to Prepare For and Respond to an Active Shooter Situation Access these security training courses by visiting: https: //www. dhs. gov/chemical-sector-training Rodney Lockett August 5, 2019 28
Critical Infrastructure Training Resources DHS offers a wide array of free tools and resources to government and private sector partners to enable the critical infrastructure security and resilience mission. Visit: https: //www. dhs. gov/critical-infrastructure-resources to access: Cross-Sector Resources: Suspicious Activity Reporting Tool, Active Shooter Preparedness, etc. Sector-Specific Resources: DHS Sector-Specific Agencies (SSAs), Co. SSAs, and Other Department SSAs Assessment Resources: Cybersecurity Evaluation Program (CSEP), Regional Resiliency Assessment Program (RRAP), etc. You can also access FEMA training by visiting: https: //www. dhs. gov/critical-infrastructure-training Rodney Lockett August 5, 2019 29
What is the IP Gateway? The IP Gateway is centrally-managed repository of data and capabilities, and allows stakeholders to easily access, search, retrieve, visualize, analyze, and export infrastructure data from multiple sources. DHS established the IP Gateway to improve Federal agency information sharing and coordination among Federal, State, local, territorial, and tribal (SLTT) agencies partners. IP Gateway maintains three layers of information protection: Protected Critical Infrastructure Information (PCII) Chemical-terrorism Vulnerability Information (CVI) For Official Use Only (FOUO) Rodney Lockett August 5, 2019 30
Outreach Resources DHS is committed to promoting chemical security awareness through outreach and fostering relationships within communities. The first time local first responders visit a facility should not be at the time of an incident. CFATS offers a variety of outreach resources pertinent to local first responders including: Appendix – A Trifold The Role of Emergency Responders Fact Sheet RBPS 9 – Response Fact Sheet IP Gateway Fact Sheet Rodney Lockett August 5, 2019 31
Hometown Security Rodney Lockett August 5, 2019 32
Rodney Lockett Region 7 Chief of Regulatory Compliance • Phone: (202) 841 -2065 • Email: Rodney. Lockett@hq. dhs. gov 33 Rodney Lockett August 5, 2019
C I S A | C Y B E R S E C U R I T Y A ND I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y CHEMICAL SECTOR
Cybersecurity and Infrastructure Security Agency (CISA) Mission: CISA partners with industry and government to understand manage risk to our Nation's critical infrastructure Vision: Secure and resilient infrastructure for the American people CISA executes DHS’s PPD-21 Sector Specific Agency (SSA) roles and responsibilities. CISA coordinates security and resilience efforts using trusted partnerships across the private and public sectors, and delivers technical assistance and assessments to federal stakeholders as well as to infrastructure owners and operators nationwide.
SSA Management Sector-specific capacity building (technical resources, training, etc. ) Sector coordination and collaboration mechanisms (Sector partnership structures) SSA Management Sector-specific incident management Sector stakeholder engagement and outreach
Chemical Sector … the uninterrupted production and transportation of chemicals essential for national and economic security …
Chemical Sector - Regulatory
Partnerships in Action Chemical Sector Resources The Chemical Sector-Specific Agency provides institutional knowledge and specialized expertise to collaboratively develop, coordinate, and implement voluntary programs to improve security and resilience within the Chemical Sector Training The Chemical Sector-Specific Agency continues to collaborate with government and sector partners to identify and develop free or low-cost security awareness training and resources that meet the needs of the Chemical Sector Publications The Chemical Sector-Specific Agency has an assortment of publications to assist chemical facility owners and operators increase the security and resilience of the Chemical Sector. Cybersecurity Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyberspace. 39
Partnerships in Action (cont. ) Chemical Sector Partnerships Chemical Sector owners and operators have a strong history of working in partnership to develop industry practices that build a culture of safety and security. Read more on how partnerships are enhancing security and resilience in the Chemical Sector. CISA Office for Bombing Prevention (OBP) Leads and coordinates efforts to protect life and critical infrastructure by building capabilities within the general public and across the public and private sectors to prevent, protect against, respond to, and mitigate improvised explosive device (IED) incidents. CISA Soft Target and Crowded Places Task Force Soft targets and crowded places are increasingly appealing to terrorists and other extremist actors because of their relative accessibility and the large number of potential targets. This challenge is complicated by the prevalent use of simple tactics and less sophisticated attacks. In order to support these venues in mitigating potential risks associated with the dynamic threat environment, the Department of Homeland Security developed a number of resources focused on improving security and implementing protective measures.
Information Sharing and Outreach Homeland Security Information Network – Critical Infrastructure (HSIN-CI) Critical infrastructure partners are vetted through the Sector COIs and gain access to cross-sector content on the HSIN-CI Homepage and associated content sites.
Chemical. Sector@hq. dhs. gov Chemical Sector on the web: https: //www. dhs. gov/cisa/chemical-sector CISA on the web: https: //www. dhs. gov/CISA
- Slides: 42