Chemical Facility Anti- Terrorism Standards

Similar documents
Canadian Chemical Engineering Conference Edmonton, Alberta October 30, 2007

Chemical Facility Anti-Terrorism Standards. T. Ted Cromwell Sr. Director, Security and

How AlienVault ICS SIEM Supports Compliance with CFATS

The Office of Infrastructure Protection

2008 National Ag Safety School. Richard Gupton Vice President, Legislative Policy & Counsel Agricultural Retailers Association

The Office of Infrastructure Protection

Securing the Chemical Sector:

SECURITY CODE. Responsible Care. American Chemistry Council. 7 April 2011

The Office of Infrastructure Protection

Chemical Facility Anti-Terrorism Standards

The Office of Infrastructure Protection

The Office of Infrastructure Protection

RECENT DEVELOPMENT. Scott Goodman

Understanding CFATS: What It Means to Your Business Chemical Facility Anti-Terrorism Standards John C. Fannin III, CPP, LEED AP

European Responsible Care Forum. Security & Safe Maintenance

Statement for the Record. Rand Beers Under Secretary National Protection and Programs Directorate Department of Homeland Security

PD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Written Statement of. Timothy J. Scott Chief Security Officer The Dow Chemical Company

Actions to Improve Chemical Facility Safety and Security A Shared Commitment Report of the Federal Working Group on Executive Order 13650

EXECUTIVE ORDER Chemical Facility Safety and Security: Providing ProtecFon Reduces Risk

Presented by Joe Burns Kentucky Rural Water Association July 19, 2005

IMPLEMENTATION OF REGDOC SECURITY OF NUCLEAR SUBSTANCES: SEALED SOURCES for category 3-5 licensees

Summary of FERC Order No. 791

S&T Stakeholders Conference

Standard CIP 007 4a Cyber Security Systems Security Management

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Critical Cyber Asset Identification Security Management Controls

National Policy and Guiding Principles

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

Standard CIP 007 3a Cyber Security Systems Security Management

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION COMMENTS OF THE PENNSYLVANIA PUBLIC UTILITY COMMISSION

Why you should adopt the NIST Cybersecurity Framework

Security Guideline for the Electricity Sub-sector: Physical Security Response

Statement for the Record

Critical Infrastructure

Pipeline Security Guidelines. April Transportation Security Administration

The Office of Infrastructure Protection

TWIC or TWEAK The Transportation Worker Identification Credential:

Joint ICTP-IAEA School of Nuclear Energy Management November 2012

Standard CIP Cyber Security Systems Security Management

Navigation and Vessel Inspection Circular (NVIC) 05-17; Guidelines for Addressing

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Chapter 1. Chapter 2. Chapter 3

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives

Standard CIP Cyber Security Systems Security Management

Select Agents and Toxins Security Plan Template

Standard Development Timeline

MYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

The J100 RAMCAP Method

FDA & Medical Device Cybersecurity

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

All-Hazards Approach to Water Sector Security & Preparedness ANSI-HSSP Arlington, VA November 9, 2011

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

National Response Plan & Nuclear/Radiological Incident Annex. OSC Readiness Training November 17, 2004

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

FERC Hydroproject Cyber Security [FERC 3A Section 9 versus CIP v5]

CNSC Presentation to the Federal Agency for Nuclear Control

Cyber Security Incident Report

Cyber Security Program

Introduction to the National Response Plan and National Incident Management System

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

ELECTRICAL ENGINEERING & INSTRUMENTATION MECHANICAL ENGINEERING BIOLOGICAL & INDUSTRIAL ENGINEERING NUCLEAR ENGINEERING STRUCTURAL & CIVIL

DETAILED POLICY STATEMENT

The Office of Infrastructure Protection

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

Cybersecurity and Hospitals: A Board Perspective

Updates to the NIST Cybersecurity Framework

CYBER SECURITY POLICY REVISION: 12

Environmental Accidents

The Ohio State University. Chemical Facility Anti-Terrorism Standards (CFATS) Program

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

PIPELINE SECURITY An Overview of TSA Programs

Cybersecurity for the Electric Grid

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

Emergency Support Function #12 Energy Annex. ESF Coordinator: Support Agencies:

Cybersecurity Overview

DFARS Defense Industrial Base Compliance Information

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

uanacia 1+1 MARINE SECURITY OPERATIONS BULLETIN No:

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

STORAGE OF SSAN. Security Risk Assessment and SECURITY PLAN. (insert name of company) SUBMITTED TO REGULATORY AUTHORITY: (insert date)

CIP Cyber Security Personnel & Training

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Cyber Threats? How to Stop?

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Standard CIP Cyber Security Critical Cyber Asset Identification

Transcription:

SATA Presentation Regarding Chemical Facility Anti- Terrorism Standards Joe Hartline, CHMM Rindt-McDuff Associates Marietta, Georgia October 6, 2007

Presentation Outline Introduction Rule Requirements Current Status of the Rule Potential Covered Facility Summary

INTRODUCTION On April 9, 2007, the United States Department of Homeland Security (DHS) issued regulations to address the prevention of terrorism involving chemicals - the Chemical Facility Anti-Terrorism Standards ().

INTRODUCTION Background: After 9/11/2001, security of chemical facilities became a concern with regard to terrorism. The American Chemistry Council (ACC) lobbied heavily for voluntary security standards. ACC members were required to: Complete Security Vulnerability Assessments by 2003 end Have Independent 3 rd Party verification of security enhancements in 2005

INTRODUCTION Background: In October 2006, the President signed the Department of Homeland Security Appropriations Act of 2007. Sect. 550 mandated that DHS promulgate regulations establishing risk-based performance standards for security of chemical facilities. That led to in April 2007: became effective June 8, 2007 Appendix A was open for comment until May and has not been finalized yet

INTRODUCTION Goal: To secure facilities that present high levels of security risk from the actions of parties with malevolent intent. This is a different goal than those of either the PSM or RMP programs. Intentional vs. Accidental Theft of Materials not in PSM or RMP Prevention of Catastrophic Releases common to all 3 programs

INTRODUCTION GENERAL COMPARISON of RISK MANAGEMENT PROGRAMS PSM RMP GOAL Protection of Workers Primarily Protection of Off- Site Public & Envl Receptors Protection of Workers & Off-Site Public Receptors FOCUS Accidental Catastrophic Release Accidental Catastrophic Release Intentional Catastrophic Release SCOPE Process Process Facility

INTRODUCTION Regulations: 6 CFR 27 The regulations are found in the Code of Federal Regulations, Title 6, Part 27: 6 CFR 27 Chemical Facility Anti-Terrorism Standards Available at http://ecfr.gpoaccess.gov

Rule Requirements Distinction between Chemical Facilities and Covered Facilities Chemical Facility includes any establishment that possesses or intends to possess a quantity of a chemical substance determined by the Secretary to be potentially dangerous Covered Facility is a chemical facility determined by the Assistant Secretary to present high levels of security risk [also a facility that failed to report]

RULE REQUIREMENTS All chemical facilities possessing any Appendix A Chemicals of Interest at Screening Threshold Quantities (STQs) must submit a Top Screen Proposed Appendix A has 105 chemicals with STQ of any amount including HS, CO, Fluorine, Nitric Oxide Excluded facilities: Facilities under the Maritime Transportation Security Act Public Water Systems Treatment Works Facilities owned or operated by DOD or DOE Facilities regulated by Nuclear Regulatory Commission Top Screen due 60 days after Appendix A finalized

RULE REQUIREMENTS High Risk Covered Facilities subject to rule s risk-based security performance standards Facility is high risk if it presents a high risk of significant adverse consequences for human life or health, nat l security and/or critical economic assets if subjected to terrorist attack, compromise, infiltration or compromise No way to know at this time if a facility will be covered

RULE REQUIREMENTS DHS anticipates that vast majority of facilities will screen out DHS will notify facilities that are deemed covered Facility will have 90 days after notification to submit Security Vulnerability Analysis (SVA)

RULE REQUIREMENTS Facility will have 120 days after notification to submit Site Security Plan (SSP) SVA must include: Critical assets & layers of protection Assessment of internal & external threats ID of potential vulnerabilities Risk assessment of pot. effects on assets & likelihood of success of attack Analysis of countermeasure strategies DHS will place all covered facilities into one of 4 tiers, with one being highest risk & four lowest

RULE REQUIREMENTS Performance standards will be more robust for the higher risk tiers The 19 performance standards include: Securing facility perimeter Securing site assets Screening & controlling access to facility Deterring, detecting & delaying an attack to allow use of countermeasures Securing/monitoring shipment & storage of haz chemicals Deterring theft/diversion of potentially dangerous chemicals Deterring insider sabotage

RULE REQUIREMENTS Deterring cyber sabotage Monitoring Training Background checks on personnel & unescorted visitors (DHS will screen all facility employees against the Govt s Terrorist Screening Database) Escalating protective measures during elevated threat periods Addressing specific threats, vulnerabilities or risks IDed by DHS

RULE REQUIREMENTS Reporting significant security incidents to DHS Maintaining records of significant security incidents Establishing officials & an organization responsible for security Maintaining appropriate records Addressing any additional standards DHS may specify

RULE REQUIREMENTS DHS will inspect facility to confirm compliance with SSP prior to final approval Tier 1 & 2 facilities must submit a revised Top Screen, SVA & SSP after 2 years; Tier 3 & 4 facilities submit in 3 years Facilities must audit their SSPs annually DHS will inspect Tier 1s annually, Tier 2s biannually, etc. Alternative Security Programs Tier 4s may submit in lieu of SVA, SSP or both Tiers 1-3 may submit in lieu of SSP but not SVA

RULE REQUIREMENTS DHS has authority to order facility to cease operations Civil penalties are authorized up to $25,000 for each day a violation continues Chemical-terrorism Vulnerability Information (CVI) protected from public disclosure

Current Status of Rule DHS busy studying railroad facilities and long-haul pipelines & developing guidance documents DHS will carefully consider stakeholder input Leadership tenure limited to just over 1 year DHS prepared to inspect 50 Tier 1 facilities by years end

CURRENT STATUS OF RULE GAO Assessment of DHS The U.S. Government Accountability Office (GAO) believes DHS is falling considerably short of expectations in understanding threats to, and ensuring the security of, the chemical infrastructure GAO claims that DHS has failed to meet five of six performance expectations in the area of science and technology

CURRENT STATUS OF RULE GAO Assessment of DHS Expectations "generally not achieved" include: Assessment of emerging chemical, biological, and nuclear threats and homeland security vulnerabilities; Coordination of research, development, and testing efforts to identify and develop countermeasures to address chemical, biological, radiological, nuclear, and other emerging terrorist threats; and Coordination of deployment and assessment of nuclear, biological, chemical, and radiological detection capabilities and other countermeasures

Potential Covered Facility

Potential Covered Facility

Summary Could be costly, depending on tier and current security status DHS estimates cost to implement rule to be $720,000 per facility first 3 years Chemical substitution may be good strategy Stay tuned for publication of final Appendix A

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback