Six years after the 9/11 attacks and 12 years on from the Oklahoma City bombing, the risk of a terrorist attack against chemical facilities and other critical U.S. infrastructure remains a serious homeland security issue. Many chemical companies have proactively set their own security standards and are working closely with federal, state, and local government agencies. Organizations such as the American Chemistry Council have led the way, developing a voluntary security regimen under the Responsible Care program. Its 130 members have invested nearly $5bn ( 3.2bn) since 2001 to enhance security at their facilities.

However, concerns about chemical security extend well beyond the confines of chemical manufacturers to a variety of chemical users and distributors, which may not be fully aware of the potential terrorist danger certain chemicals pose and may not have taken appropriate security measures.

The result is the Chemical Facility Anti-Terrorism Standards (CFATS) regulatory framework, put forth last year by the Department of Homeland Security (DHS) by authorization of Congress. All provisions of CFATS became operative last November.

The DHS regulations cover a wide range of organizations that manufacture, use, store, or distribute chemicals. All regulated facilities must comply with statutory requirements for the submission and protection of information developed under CFATS. These include: vulnerability assessments, site security plans, and other security-related information, records, and documents, which will be protected from public disclosure. Included are Chemical-terrorism Vulnerability Information (CVI) plans and Site Vulnerability Assessment (SVA) information.

CFATS imposes a new compliance burden, but companies can better manage that drain on resources by proactively taking practical steps to secure the necessary information and assess their site's vulnerability. Here is a summary of preparatory suggestions for regulated facilities:

Address Internal Training and Document Management. The facility should identify who is going to be the CVI director and who will have access to CVI sensitive information and documents. These individuals should be properly trained with respect to the document security requirements, and they should be provided with the necessary document storage equipment and systems. The CVI requirements apply to all senior managers and members of the board of directors, and they govern the control of paper documents as well as electronic information.

Identify Documents Requiring CVI Classification. As of January 22, with the submittal of the Top Screen, all regulated facilities have documents that are classified as "sensitive," and they must be secured in accordance with the facility CVI plan.

Begin SVA Preparation. At the same time, regulated facilities, particularly those that suspect they will be classified as Tier 1 or 2, should begin the process of preparing an SVA. This may necessitate gathering and organizing various component plans and procedures, including: site layout drawings and plans with details of property lines, ingress/egress points, traffic flow, and locations of major structures and process equipment. A comprehensive schedule of the Chemicals of Interest, the relevant inventories, locations and methods of transportation is also critical and constitutes another prerequisite for a DHS-approved SVA study. A schedule of assets will need to be developed to identify critical plant equipment, structures and processes, critical functions, and interdependencies. The schedule of assets should include infrastructure and utilities, such as steam systems, water systems and electricity grids and the inherent dependencies of the plant upon them, as well as whether the hardware is on or off-site.

Gather Data on Countermeasures. The site's existing countermeasures have a direct impact on the facility's ability to mitigate plausible terrorist scenarios. Conducting an evaluation of their effectiveness or lack thereof is one of the later and more critical steps of the SVA process. Information gathered in preparation of this evaluation should include, but not be limited to, architectural plans for the site and buildings, as-built drawings for electronic security systems such as CCTV systems, card access systems, and intrusion detection systems, maintenance and repair records for these systems, standard operating procedures pertaining to physical and cyber security, a breakdown of the security staff, all information pertaining to security-related training, the various posts security personnel are assigned to and all supporting documentation that sets forth their day-to-day duties, as well as duties associated with elevated threat conditions.

Include Emergency Response Plans. Drawings that pertain to plant equipment that mitigates fires, explosions, spills and toxic gas releases would also be helpful. Crisis management, disaster recovery, and emergency response plans that point toward prevention activities, reaction and mitigation capabilities, as well as documentation listing the regularity of any drills and exercises in place to support these efforts should be included in the consequence mitigation analysis.

Fabrice Lebourgeois is the national practice leader for Marsh's chemicals practice. Neal Drawas is managing director of the environmental, health and safety practice at Marsh's Risk Consulting Practice.
http://www.icis.com