CFATS Is Coming Of Age

• By Carlos Barbosa
• Dec 14, 2010

The Chemical Facility Anti-Terrorism Standards (CFATS) are coming of age. This federal regulation is finally becoming the autonomous, living organism the chemical, petrochemical and related industries were expecting a few years back. In simpler, less dramatic terms, CFATS has grown teeth.

CFATS has demonstrated that security is more than a necessary evil for the industry. Security departments are being morphed, re-invented and defined as we speak as a result of this mandate.

It is clear that the days of the “let’s wait and see” approach are coming to an end and the real expectations of Department of Homeland Security in relation with Site Security Plans and security audits are becoming clearer and clearer every day. This realization is becoming painful for some. Almost no Site Security Plan has been approved by DHS by the time of publication of this article.

The reasons why this is happening are multiple and varied in nature but one critical explanation may be that CFATS is -- for the first time -- forcing the industry to approach security from a holistic perspective not focusing on just one -or a few- security measures such as technology, manned guarding or security procedures.

For instance, CFATS requires high-risk facilities to comply with more than a dozen Risk-Based Performance Standards (RBPSs), as applicable. The risk-based nature of the performance standards means that the most at-risk facilities -- the relatively small number of Tier 1 sites – will have more stringent security measures relative to the least risky sites – the more prevalent Tier 4 sites.

Regardless of tier level, many of the RBPSs will require the enhancement of existing security measures. For example, a chemical plant may need to strengthen its perimeter fencing, hire security officers, install additional cameras, and replace gates with anti-crash barriers. A couple of years ago, DHS released its RBPS Guidance document to assist regulated facilities in better understanding the intent of each RBPS, and to offer suggestions for compliance. 

How to comply with any specific RBPS, however, remains less than certain. For example, under RBPS 4, a regulated facility must “deter, detect, and delay an attack, creating sufficient time between detection of an attack and the point at which the attack becomes successful….” What this means in practice likely will vary from facility to facility – even for facilities within the same risk-tier.

Notwithstanding the inherent flexibility afforded by a performance-based regulation, RBPS Guidance document Metric 4.5, titled “Interdiction by Security Forces or Other Means,” has raised eyebrows. For a Tier 1 facility, the RBPS Final Draft Guidance states that “the facility is extremely likely to be able to detect and initiate a response to armed intruders resulting in the intruders being interdicted before they reach a target asset or other potentially critical target…If security forces are used, they may be contract or proprietary, mobile or posted, armed or unarmed, or a combination thereof.”

Generally, due to safety concerns, chemical and petrochemical facilities do not employ armed security forces. Introducing firearms -- even by well trained personnel -- in and around highly flammable materials, among other things, creates additional risks. In fact, many chemical and petrochemical facilities expressly prohibit firearms anywhere onsite -- including in an employee’s personally-owned vehicle parked in the facility parking area.

Other facilities are carefully considering the issue and choose to arm all security officers following strict safety protocols and use-of-force policies. In other instances, only a subset of security officers may be armed. For example, security officers who monitor cameras or intrusion detection systems may be unarmed while the security officers who patrol on foot or in vehicles may be armed.

Deploying a “rapid reaction team” offers an alternative to the on-site use of armed security officers and has been floated in the context of CFATS and, in particular, for RBPS 4 compliance. In areas with many CFATS-regulated facilities in close physical proximity to each other, a “rapid reaction team” could provide a common patrol and armed security presence to all facilities. This has the benefit of mitigating some safety concerns while providing a reliable method to interdict armed intruders pursuant to RBPS Metric 4.5.

Undoubtedly, some facilities will rely more on additional physical and technological security enhancements to achieve compliance with RBPS 4 in a manner that reduces the need for security officers. For example, some facilities may decide to install video management technologies to detect any potential attack with sufficient time to react. Furthermore, some facilities may utilize video analytics as an added layer of protection.

Regardless of what alternative for specific RBPS compliance the facilities ultimately choose, it has been our experience that those Site Security Plans that rely on a balanced and well crafted mix of manned, technological and procedural security measures have better chances of quick approval than those that rely heavily on just a sub-set of applications. Therefore, the task at hand for the security manager in charge of defining these SSPs is very complex. External help, in many cases, is the only practical alternative but then again, security organizations capable of designing and implementing an integrated security solution that will satisfy all Risk-Based Performance Standards are scarce.

Only time will dictate how the final implementation of CFATS plays out. As an integral part of our critical infrastructure, we will be watching. So will the federal government.