Securing the gray zone of regulated chemicals

NYPD's Operation Green Cloud underscores weaknesses of hazardous chemicals security

The video makes it clear that "it is extremely necessary to have an integrated security program, both from a public standpoint and from an industry standpoint," says Gary Gilmartin, director/business development at the Department of Energy's Y12 National Security Complex (Oak Ridge, TN), which makes components of nuclear weapons and "handles a significant number of the chemicals" listed on Appendix A of DHS's chemical security regulation. "If you look at the expanse of potential problems with homeland security, not just in the chemical industry, [security] is going to take an integrated approach across the entire U.S. You can't expect a single law to protect us from events or terrorist acts; we wouldn't be able to afford it, or we would have to stop all production," Gilmartin says.

Part of an integrated program should include administrative, or engineered, IT controls, Gilmartin says. This could be a system that limits chemical quantities to be sold as well as delivery locations and automatically flags the order.

Fraud management software is most widely used in business-to-consumer online transactions, though it has gained some traction in Corporate America, says Scott Olson, v.p./marketing at iovation (Portland, OR), a vendor of such software. The software alerts owners when, for example, someone tries to make several purchases from the same computer using different identities, Olson says. "Typically, fraudsters supply different personal and financial information" to the same company, he says.

This type of software would not have helped in the NYPD scam, however, as that involved only a one-time purchase by one purchaser, Olson says. "But the problem highlighted in the video is that purchases are being made of sensitive materials using data supplied by the user online. As more and more businesses move online, they place a greater reliance on non-face-to-face information that can be stolen or faked," he says. Identification technology is one of several tools to help combat cybercrime, he adds.

The NYPD video ends with a reference to the CFATS regulations that are beginning to be implemented. The regulations call for facilities that produce or store 2,500 lbs of chlorine or more to fill out top screens, which DHS will use to assign security risk levels. Cybersecurity is a part of the CFATS' 19 risk-based performance standards. DHS is expected to provide guidelines on these standards, though it has not yet set a deadline for this.

The CFATS deal with the "top priorities first," Acker says. Security is a process but not one in which "you start to do something and instantly solve all the problems," he says. Solving one problem sometimes raises others. The NYPD chose a company selling small quantities of chlorine and "somebody would have to work at getting a lot of material to do mass destruction," he adds. Even so, he says the issues raised in the video "need to be addressed."