Updated: March 26th, 2008 10:01 AM EDT

Securing the gray zone of regulated chemicals

NYPD's Operation Green Cloud underscores weaknesses of hazardous chemicals security

A continuous drive to improve security in the post 9/11 era has been a major industry focus, but some chemical makers point to a "gray zone" in which some small firms that handle chemicals may not be getting the message. That concern was underscored recently by a widely publicized undercover New York City Police Department (NYPD) operation to assess how difficult it would be for a newly established, but phony, company to buy chlorine online with few questions asked and minimal human interaction. The relative ease with which NYPD made its purchase and received product stunned some in the chemical industry, who say the operation serves as a cautionary tale that points to the need for improved education about security risks, especially among small- to mid-size firms doing business online.

"I was shocked," says Arthur Dungan, president of the Chlorine Institute (Arlington, VA), which learned of the operation after it was conducted last year. "We believe all suppliers need to know who their customers are and that these customers can safely and securely handle chlorine and whatever other material they are handling," Dungan says.

"It is very disturbing that they could purchase this material over the Internet," says Joseph Acker, president of Socma. "Responsible companies that belong to associations like Socma . . . practice product stewardship and just don't do these kinds of things."

NYPD says the scam, dubbed "Operation Green Cloud," is part of efforts to evaluate terrorism risks. "The primary objective was to assess the ease or difficulty with which a terrorist inside the U.S. could acquire large quantities of chlorine without being detected by law enforcement or intelligence agencies," NYPD says in a video about the operation. "Our principal finding was that at the present time few, if any, barriers stand in his way."

The operation involved creation of a Web site that outlined the corporate mission of the phony company, which presented itself as under contract with the city to restore and purify a Brooklyn creek. Using the Internet, NYPD found a list of potential vendors and settled on a distributor to make its online credit card purchase of three, 100-lb cylinders of chlorine and have them delivered to a covert location "in an area surrounded by both commercial and residential facilities," NYPD says in the video. "At no point during the ordering process did we ever have a request from the vendor for identification," Todd Metro, detective/counterterrorism unit at NYPD, says in the video.

The vendor was Scott Specialty Gases (Plumsteadville, PA), which was acquired by Air Liquide after the NYPD operation. Scott Specialty referred calls on the incident to Air Liquide, which says it learned of the NYPD operation after it ended. "Our first reaction was to find out what happened, and our management doubled back" to evaluate Scott Specialty's operations, says an Air Liquide spokesperson. "We've been tightening up the process" at Scott Specialty, which now "follows our process for new customers," the spokesperson says. Air Liquide is "implementing a higher level of scrutiny [at Scott]. We have met with the Department of Homeland Security (DHS), which has reviewed our site in New Jersey and is satisfied," Air Liquide says. The company says it has also discussed the incident with ACC and the Chlorine Institute, but it would not elaborate. "It is kind of hard to know how you can avoid every single trick" when a customer is trying to be deceptive, the spokesperson adds.

Toxic by inhalation (TIH) chemicals including chlorine are regulated in the U.S. "by a patchwork of federal, state, and local laws," Elana DeLozier, Intelligence Research specialist at NYPD, says in the video. "These laws tend to focus on the safety of hazardous chemicals as they are transported or stored. Existing laws mainly address the risk from chemical accidents, not the threat of chemical terrorism." Many of the state and local databases that track hazmats are self-reporting systems that have no enforcement mechanism to ensure compliance, DeLozier says.

There are security protocols for Chlorine Institute member firms in place that require customer assessments to determine "that they are who they say they are" and can safely handle chlorine, Dungan says. At present, "these are done on a voluntary basis but the Chemical Facility Anti-Terrorism Standards (CFATS) regulation, when it's final, will mandate this. Knowing your customer is a key part of the regulation," he says. "If it's a new customer, typically this would be an onsite walk-through visit" that would include discussions to determine the customer's level of skill and expertise in handling chlorine, he adds.