Understanding the growing threat potential in our post 9/11 climate, which includes cyberattack operations targeting industrial networks, utilities and other critical infrastructure, the United States government has raised the bar on regulations governing critical infrastructures such as ports, petrochemical plants and the energy sector. It is extremely important that critical infrastructure organizations abide by all protocols in accordance with evolving regulatory requirements such as the Maritime Transportation Security Act (MTSA) and Chemical Facility Anti-Terrorism Standards (CFATS).
Critical infrastructure such as refineries and petrochemical plants pose significant security challenges. An accidental or intentional incident at a critical infrastructure facility could result in unexpected costs or, even, injury and death. Due to the nature of the work performed and its importance to the economy, these facilities are also high-value targets for acts of terrorism.
Incapacitation of critical infrastructure assets, systems or networks - physical or virtual - can result in a debilitating effect on national public health and safety and national economic security. As such, the U.S. Government’s President Policy Directive 21: Critical Infrastructure Security and Resilience is a national policy that secures and maintains critical infrastructure and is a directive that supersedes the Homeland Security Presidential Directive 7.
When developing a security plan for a critical infrastructure facility, the following components are mandatory to address:
Regulatory Compliance
All personnel, including contractors, need to ensure that all site safety and requirements of Chemical Facility Anti-Terrorism Standards (CFATS), Maritime Transportation Security Act (MTSA) along with OHSA guidelines, are met.
Due to the burst of cyberattacks that our nation faced in 2021, CISA released a new fact sheet, Chemical Facility Anti-Terrorism Standards (CFATS): Reporting Cyber Incidents, to help high-risk CFATS facilities know how and when to report significant cyber incidents under Risk-Based Performance Standard (RBPS) 8 – Cyber and RBPS 15 – Reporting of Significant Security Incidents.
Safety
Safety programs for site and plant safety should focus on both procedures and processes which guide day-to-day operations for employees, visitors, and contractors.
Company-wide safety programs instill a personal commitment to safety with all employees and result in fewer accidents, less time lost from work due to injury, and fewer service interruptions. The safety program, reinforced by a safety manual, should be overseen by a committee. The committee generally includes representation by senior management, safety and risk executives, operational teams, and corporate representatives, who all work to promote consistent, safe work practices at each site.
Training
Local and national level training across key areas such as anti-terrorism, CFATS training and standards, maritime, emergency preparedness and evacuations, cybersecurity is important.
Training needs to be highly specialized and focused on the individual critical infrastructure. Industry training topics include CFATS, MTSA, C-TPAT, NERC -CIP, fire safety, evacuations, search techniques, terrorism awareness and HAZMAT. Based on specific work environments, security officers are compliant with required credentials or certifications. It is important that monthly drills and training unique to the industry are conducted.
Security professionals contracted to protect critical infrastructure are comprehensively screened and complete a demanding training program emphasizing safety, access control, incident response, and compliance with applicable regulations. Specialized training may include compliance with NERC-CIP, CFATS, and other regulatory requirements. It is vitally important the security team is up to date with OSHA, American Chemical Council, and other regulatory agency guidelines to ensure industry compliance.
Hiring the Right Security Personnel
Chemical, petrochemical, and utilities security officers are trained in plant safety and chemical industry security regulations. Beyond the training, however, it is a unique, self-motivated person who works to secure these facilities. At times, security has to be on shift by themselves, making self-motivation a key attribute. Many of these environments are not in conventional spaces and there may be hazardous materials around.
Infrastructure companies most often look for security personnel that have military or law enforcement backgrounds.
Because these facilities are open 24/7, offering a wide variety of shifts, the flexibility is appealing to single parents who may go to school during the day, and work at night, for example, and these security professionals often make long-term commitments to these jobs sites. As the training and experience are rigorous, the pay is higher than traditional security.
Pandemic
The pandemic necessitates that critical infrastructure facilities have specific industry solutions, based upon their unique needs, such as temperature checks, PPE instruction to employees, visitors and contractors allowing accountability and reporting for leadership and safety regulatory rules.
Partnerships
Partnerships and collaborations are critical to the sector with organizations such as ASIS International, American Fuel and Petrochemical Manufacturers (AFPM) association, Energy Security Council (ESC), International Liquid Terminal Association (ILTA) and the Society of Chemical Manufacturers & Affiliates (SOCMA) ensure that the company stays in tune with the industry’s most recent developments.
Cyber and Physical Security Essential in Securing Critical Infrastructure
As all facilities continue to increase their reliance on computer-controlled systems, protecting against disruption—such as cyber intrusions, malware attacks, and viruses—is an increasingly essential component in managing overall risk for critical infrastructure facilities.
A cyber or physical attack on industrial control systems and networks can disrupt operations or even deny critical services to the world at large. The Cybersecurity and Infrastructure Security Agency developed the Cybersecurity and Physical Security Convergence Guide about convergence and the benefits of a security strategy that aligns cybersecurity and physical security functions with organizational priorities and business objectives.
Creating a world-class security program for a critical infrastructure facility starts with staffing a team of highly trained people to support the security mission. While security is of paramount concern, safety is an equally dominant driver in building a physical security team.
Why does safety sit alongside security as an equal partner? Maintaining a safe work environment in an industrial institution is vital for employees’ productivity and well-being, and the security team plays an integral role in cultivating a culture of safety and security. Organizations that thrive empower their security teams to be competitive, resilient and inspired in a 21st-century society so they can continue to be relevant, challenged, engaged and productive.
