Bill Wayman is the director of security services for TVA Fire & Life Safety.
The security of chemical facilities and transport systems has been a concern of the chemical industry for many years. In fact, industry groups such as the American Chemistry Council (ACC), the Synthetic Organic Chemical Manufacturers Association (SOCMA), and the Chlorine Institute, have been diligently working to improve the security of their members' facilities, processes, and products.
To help their members achieve these goals, the ACC, SOCMA, and Chlorine Institute created the Responsible Care Security Code (RCSC), which includes 13 basic management practices that enhance security in the following areas: facilities, cyber, and transportation.
Although no single methodology can work for every facility or situation, the 13 principles laid out by the RCSC can effectively reduce the risk of a wide range of threats and mitigate the effects of terrorism, vandalism, sabotage and workplace violence. And these principals can benefit a wide array of companies - from chemical plants, to bulk refrigeration facilities, to retail outlets.
What follows is a synopsis of the RCSC Managing Practices. They can serve as starting points for evaluating an existing plan or developing a new security program; but they should not be viewed as a complete security plan that will resolve every issue at every facility.
1. Management's Commitment
The commitment to security starts at the top. Senior management must demonstrate through words and actions a clear commitment to security at their company - from corporate headquarters to the most remote facilities.
When a security program has support from senior management, it is more likely that it will be implemented and that staff will comply with it. A commitment from the executive team helps the security staff gain cooperation from fellow employees and obtain the funding and materials necessary to implement security programs.
Key members of management should support the funding and oversee - or even participate in - their company's security planning process. If direct involvement is not possible, they should track and monitor progress and above all, ensure that security concerns are addressed in their strategic and annual budgetary plans.
Activities like these show that the company is committed to the security of the facility, employees, stakeholders and the general public.
2. Assess Threats, Vulnerabilities and Consequences
Management must identify all processes that use, produce or transport chemicals that could, if released or stolen, have the potential to cause irreparable harm to people, property or the environment, as well as chemicals that could be used as (or be used to produce) weapons of mass destruction. All chemical facilities, including storage and retail outlets need to be evaluated.
Assessing threats at a facility is a challenging undertaking, but the following criteria can help establish a baseline:
- The potential danger posed by the materials present
- The attractiveness of each target
- The consequences of an attack (on site and off site)
- The difficulty/ease of mounting an attack
- The potential for simultaneous attacks against adjacent or neighboring equipment
Formulas exist for assessing all identified vulnerabilities, but space limitations preclude a description of them here. The benefit of assessing facilities is that, once completed, a company can be confident that it is devoting sufficient resources and personnel to the appropriate sites.
b. Vulnerability Assessment
A vulnerability assessment serves as the foundation for all security initiatives. It is a vital tool for determining what should be protected, what kind of threats the facility is vulnerable to, and how best to protect sensitive areas.
Start by creating a vulnerability assessment team, which should have representatives from all divisions of the organization, the appropriate resources to fulfill its mission, and the full support of senior management. If expertise in evaluating security vulnerabilities and in developing appropriate countermeasures to those vulnerabilities is not available within the company, consider enlisting the services of a qualified security consultant.
Once a team has been selected, conduct the vulnerability assessment. Building on the information gathered during the prioritization process, confirm if the previously identified areas are actually targets and determine if there are any other potential targets.
There are several effective methodologies for conducting a vulnerability assessment. Select an appropriate one that includes factors such as local security needs, the nature of the assets, the complexity of the asset infrastructure, available information, available personnel and resources, company and national interests, and community concerns.
Regardless of which method is selected, it should measure and compare relative security risks. If the risks are deemed unacceptable, recommendations must be developed for measures that reduce risks.
When assessing vulnerabilities, look beyond the ?fence line? of your facility. Take into account vulnerabilities that could arise because of inadequate security measures at nearby sites. Also consider vulnerabilities that could arise because of the site's proximity to attractive targets, such as government buildings, military installations, or national monuments (an attack on one of those targets could cause collateral damage to your site).
Determine the likelihood of a successful attack based on the scope of your analysis, local needs, and the quality of available information. Identify relevant layers of protection and the consequences of failure of those layers of protection. Consider potential consequences of security events on workers, the community, the environment and critical infrastructure. Base your analysis on reasonable worst-case scenarios.
The result of the vulnerability assessment is a site security plan, which addresses all relevant categories of site security: perimeter protection (fencing, clear zones); access control (doors, gates, keys, locks); cyber security; training; drills; surveillance; lighting; signage; alarms; badging; vehicle and property control; security communications; law enforcement or other emergency response scenarios; communications with local authorities and community leaders; intrusion detection; security officers and post orders; visitor control; package and mail inspection; investigations; employment termination procedures; and bomb threat procedures.
3. Implementation of Security Countermeasures
Implementing recommended security countermeasures identified through the vulnerability assessment will help a company protect employees, the community and the environment; maintain the integrity of operations; reduce litigation risk, insurance costs and theft; decrease the risk of vandalism and sabotage by employees and non-employees; safeguard trade secrets; and improve relationships with local authorities and surrounding communities.
Some of the strategies for effectively implementing security measures include: establishing clear responsibility for site security coordination and for implementing the security enhancement measures; establishing a realistic implementation schedule; allocating the necessary resources; and confirming that measures have been put in place and are working appropriately.
4. Information and Cyber Security
Assuring the security of information and information systems helps protect a company's electronic systems, process controls, telecommunications, and management and commerce functions. Information security also helps deprive potential adversaries of information that might help them in their actions against a company.
The objective of cyber-security practices is to protect the confidentiality, integrity, and availability of information; ensure the safety and operational effectiveness of process controls; and prevent information from being used that could compromise the physical security practices of companies. To be most effective, these controls should protect technology, processes and people.
Cyber-security risk assessment should be coordinated with the physical security assessment and includes: evaluating connections between internal networks and the Internet or other company networks; creating policies and practices for upgrading antivirus software; and developing access control policies and practices, including remote access and wireless communications.
Unless you have the internal expertise, seriously consider hiring an outside IT security consultant to assist in the assessment.
Documentation of a company's security programs, processes and procedures helps to institutionalize your security program so that security will not falter as security employees leave the company. It also assures that the program outlasts the person who developed it.
Documentation of security measures tends to increase compliance; rules are generally followed more closely when someone is looking and keeping records. Documentation of security performance, violations, successes and failures also helps security staff to determine various security measures that may need to be strengthened.
Last, complete and accurate documentation of a company's security program facilitates a smooth transition to third-party certification of the company's security program.
6. Security Program Training and Drills
When establishing a training program, strive to create a culture where training is a routine, expected practice. Consider using both internal and external resources to ensure the best training is received. Reinforce training with e-mailed security reminders or post security tips on the company intranet.
Conduct drills to test the effectiveness of security measures and training programs. Evaluate these drills and make use of the lessons learned to continuously improve the program.
7. Communications, Dialogue and Information Exchange
Communication is key to a successful security program. By communicating security policies, concerns and measures to employees, contractors and visitors, they will more likely adhere to those policies and notice and report security-related incidents.
Building a partnership with law enforcement officials and other responders can increase the effectiveness of support. Also, once regular lines of communication are established, local responders are more likely to provide advance notice of threats and relevant developments.
Providing information about your security program to the community can foster understanding that will benefit everyone. Sharing information also can reduce tension between communities and companies, can open the door to constructive dialogue, and may lead to improved site security.
8. Response to Security Threats
It is very beneficial to collect information about threats aimed not only at your facility or company, but also at the surrounding community, your specific industry, and the nation.
With timely information, security staff may be able to detect and prevent impending security incidents. In addition, analyzing information may make it possible to discern trends. If security staff and management report and communicate security threats to company employees and other interested parties, more people can be involved in supporting the security effort.
Your security staff should regularly evaluate the number and severity of reported security incidents. They should communicate to management any significant increases or decreases in threats.
Establish a regular schedule for security staff and facility management to review information. Security measures should be upgraded incrementally as the threat level escalates. To improve response to threats, develop liaisons with emergency responders and other appropriate contacts.
9. Response to Security Incidents
A proper response to a security incident can reduce its affect on a company, employees, and neighbors, minimize losses and prevent future incidents.
Here are several tactics you can employ to ensure an optimal response to security incidents:
- Develop a process for reporting incidents and investigations
- Report any suspected illegal activity to law enforcement
- Review final incident investigation reports with all personnel whose job tasks are relevant to the incident findings
- Maintain investigation reports for at least five years
If your facility does not have trained security officers on site, your staff should not respond in person to potentially dangerous situations, but instead should immediately contact law enforcement. Also, make sure corrective actions are taken after an incident. Develop a means for management to audit and measure those responsible for taking corrective actions.
Establish a formal audit program and regularly conduct security audits to ensure proper deployment, identify weaknesses, incorporate lessons learned, and develop corrective actions. Be sure to develop a detailed, comprehensive audit checklist or protocol that encompasses key aspects of security: physical security measures, procedures, documentation, cyber security and management/supervision practices.
11. Third Party Verification
A key component of the RSCS is verifying that a company has implemented the enhanced security measures described in the vulnerability assessment program.
Independent third-party verification, including certification of compliance with the RSCS, provides a number of benefits. By obtaining this certification, both plant employees and the local community will be further reassured that the company has taken important precautionary steps to appropriately secure the site.
12. Management of Change
Changes to plant conditions provide the opportunity to predict security implications and adjust security measures before problems arise. It's critical that security staff is informed at the earliest opportunity of changes to operations and processes. Make security staff responsible for seeking out such information, and make other company managers responsible for providing it.
If your organization has existing change management programs, modify them to include security.
13. Continuous Improvement
A formal process dedicated to continuous improvement can help a company maintain its security effort at the highest level. By constantly tracking, measuring and testing security measures, a company can identify gaps and make improvements before incidents occur.
Some Final Thoughts
Protecting any type of facility from a security event is more than a sound business practice and an ethical imperative - it is a mandate in these unpredictable times. Although creating and implementing an effective security plan requires considerable expertise and resources, the peace of mind that it brings is well worth the effort.
About the author: William Wayman, director of Security Services for TVA Fire & Life Safety, is responsible for managing and providing vulnerability and risk analysis and property hazard control services. In this capacity, he is specialized in the physical security field, and in chemical, petrochemical, heavy industrial, utilities, and high-tech industries.