Securing the gray zone of regulated chemicals

March 24, 2008
NYPD's Operation Green Cloud underscores weaknesses of hazardous chemicals security
A continuous drive to improve security in the post 9/11 era has been a major industry focus, but some chemical makers point to a "gray zone" in which some small firms that handle chemicals may not be getting the message. That concern was underscored recently by a widely publicized undercover New York City Police Department (NYPD) operation to assess how difficult it would be for a newly established, but phony, company to buy chlorine online with few questions asked and minimal human interaction. The relative ease with which NYPD made its purchase and received product stunned some in the chemical industry, who say the operation serves as a cautionary tale that points to the need for improved education about security risks, especially among small- to mid-size firms doing business online.

"I was shocked," says Arthur Dungan, president of the Chlorine Institute (Arlington, VA), which learned of the operation after it was conducted last year. "We believe all suppliers need to know who their customers are and that these customers can safely and securely handle chlorine and whatever other material they are handling," Dungan says.

"It is very disturbing that they could purchase this material over the Internet," says Joseph Acker, president of Socma. "Responsible companies that belong to associations like Socma . . . practice product stewardship and just don't do these kinds of things."

NYPD says the scam, dubbed "Operation Green Cloud," is part of efforts to evaluate terrorism risks. "The primary objective was to assess the ease or difficulty with which a terrorist inside the U.S. could acquire large quantities of chlorine without being detected by law enforcement or intelligence agencies," NYPD says in a video about the operation. "Our principal finding was that at the present time few, if any, barriers stand in his way."

The operation involved creation of a Web site that outlined the corporate mission of the phony company, which presented itself as under contract with the city to restore and purify a Brooklyn creek. Using the Internet, NYPD found a list of potential vendors and settled on a distributor to make its online credit card purchase of three, 100-lb cylinders of chlorine and have them delivered to a covert location "in an area surrounded by both commercial and residential facilities," NYPD says in the video. "At no point during the ordering process did we ever have a request from the vendor for identification," Todd Metro, detective/counterterrorism unit at NYPD, says in the video.

The vendor was Scott Specialty Gases (Plumsteadville, PA), which was acquired by Air Liquide after the NYPD operation. Scott Specialty referred calls on the incident to Air Liquide, which says it learned of the NYPD operation after it ended. "Our first reaction was to find out what happened, and our management doubled back" to evaluate Scott Specialty's operations, says an Air Liquide spokesperson. "We've been tightening up the process" at Scott Specialty, which now "follows our process for new customers," the spokesperson says. Air Liquide is "implementing a higher level of scrutiny [at Scott]. We have met with the Department of Homeland Security (DHS), which has reviewed our site in New Jersey and is satisfied," Air Liquide says. The company says it has also discussed the incident with ACC and the Chlorine Institute, but it would not elaborate. "It is kind of hard to know how you can avoid every single trick" when a customer is trying to be deceptive, the spokesperson adds.

Toxic by inhalation (TIH) chemicals including chlorine are regulated in the U.S. "by a patchwork of federal, state, and local laws," Elana DeLozier, Intelligence Research specialist at NYPD, says in the video. "These laws tend to focus on the safety of hazardous chemicals as they are transported or stored. Existing laws mainly address the risk from chemical accidents, not the threat of chemical terrorism." Many of the state and local databases that track hazmats are self-reporting systems that have no enforcement mechanism to ensure compliance, DeLozier says.

There are security protocols for Chlorine Institute member firms in place that require customer assessments to determine "that they are who they say they are" and can safely handle chlorine, Dungan says. At present, "these are done on a voluntary basis but the Chemical Facility Anti-Terrorism Standards (CFATS) regulation, when it's final, will mandate this. Knowing your customer is a key part of the regulation," he says. "If it's a new customer, typically this would be an onsite walk-through visit" that would include discussions to determine the customer's level of skill and expertise in handling chlorine, he adds.

"Chlorine is not a growth chemical" and is widely used, and so most customers are well-known, Dungan says. "It's not that often that you get a new customer. I guess, listening to the video, that they concocted a tale that sounded pretty good; but you'd expect a terrorist to do that," he says. The Chlorine Institute continues to tell its members to scrutinize their security plans and "take this opportunity to look at other aspects of the security plan and make sure they are being followed," he adds.

The Chlorine Institute and ACC say they were unaware that there was a video of the operation until after it was publicized. "We contacted [the NYPD] on a couple of occasions to say that this should not have happened," Dungan says. "We said we would like to publicize this to educate our members and reinforce the importance that we give to knowing your customers. [NYPD] said it would consider that, but was never willing to follow through."

NYPD did not respond to requests for an interview by CW presstime.The National Association of Chemical Distributors (NACD; Arlington, VA) sent a letter expressing concern to NYPD commissioner Raymond Kelly last month when NYPD released the video, which is available on its Web site as well as on YouTube.com. "This type of distribution is not representative of the responsible actions of NACD company members, who, as a requirement of membership in the association, must conduct product stewardship and exercise due diligence when selling potentially dangerous products to customers," says Chris Jahn, NACD president, in the letter (CW, Feb. 25, p. 4).

NYPD says it worked with several city hazmat emergency response groups to mitigate potential risks of handling, delivery, and disposal of the chemicals. It also called on Kuehne Chemical (Kearny, NJ) to take possession of the cylinders after the operation. "Our involvement was fairly limited," says Donald Nicolai, president of Kuehne, which itself has been cited by government officials as a terrorism risk as its sites store chlorine in densely populated areas. Nicolai says the success of the NYPD operation is surprising. "I know it would be very difficult in any other circumstance. I don't know the background details, [but] I know you certainly couldn't do that from any of the people I know that supply containerized chlorine," he says.

The video "isn't about the companies that know what they are doing," Acker says. "There are a lot of [small] companies that supply industrial gases in small cylinders, and they're all over the place -- every town has one," he says. "They are probably not familiar with the harmful potential of chlorine or other toxic gases." Given that, they should not be allowed to use the Internet as their primary means of customer contact, he says. "To prevent this type of sale from occurring, Internet sales of reactive gases such as chlorine should be banned," Acker says. Using the Internet to make an initial contact with a potential customer is okay, "but then you have to call somebody and there needs to be some legitimate paper work exchanged" and meetings face to face, which is what major firms in the industry do, he says. "Sales of these types of chemicals without knowing who you are selling to is just not appropriate."

The video makes it clear that "it is extremely necessary to have an integrated security program, both from a public standpoint and from an industry standpoint," says Gary Gilmartin, director/business development at the Department of Energy's Y12 National Security Complex (Oak Ridge, TN), which makes components of nuclear weapons and "handles a significant number of the chemicals" listed on Appendix A of DHS's chemical security regulation. "If you look at the expanse of potential problems with homeland security, not just in the chemical industry, [security] is going to take an integrated approach across the entire U.S. You can't expect a single law to protect us from events or terrorist acts; we wouldn't be able to afford it, or we would have to stop all production," Gilmartin says.

Part of an integrated program should include administrative, or engineered, IT controls, Gilmartin says. This could be a system that limits chemical quantities to be sold as well as delivery locations and automatically flags the order.

Fraud management software is most widely used in business-to-consumer online transactions, though it has gained some traction in Corporate America, says Scott Olson, v.p./marketing at iovation (Portland, OR), a vendor of such software. The software alerts owners when, for example, someone tries to make several purchases from the same computer using different identities, Olson says. "Typically, fraudsters supply different personal and financial information" to the same company, he says.

This type of software would not have helped in the NYPD scam, however, as that involved only a one-time purchase by one purchaser, Olson says. "But the problem highlighted in the video is that purchases are being made of sensitive materials using data supplied by the user online. As more and more businesses move online, they place a greater reliance on non-face-to-face information that can be stolen or faked," he says. Identification technology is one of several tools to help combat cybercrime, he adds.

The NYPD video ends with a reference to the CFATS regulations that are beginning to be implemented. The regulations call for facilities that produce or store 2,500 lbs of chlorine or more to fill out top screens, which DHS will use to assign security risk levels. Cybersecurity is a part of the CFATS' 19 risk-based performance standards. DHS is expected to provide guidelines on these standards, though it has not yet set a deadline for this.

The CFATS deal with the "top priorities first," Acker says. Security is a process but not one in which "you start to do something and instantly solve all the problems," he says. Solving one problem sometimes raises others. The NYPD chose a company selling small quantities of chlorine and "somebody would have to work at getting a lot of material to do mass destruction," he adds. Even so, he says the issues raised in the video "need to be addressed."