Regulations that Affect Critical Infrastructure

• By Ray Gilley
• Apr 01, 2014

As the CEO of ISI Security, one of the most difficult and time-consuming aspects of my job is keeping up with the laws and regulations affecting my company. This is compounded by the fact that it’s also the job of my company to keep up with the evolutionary changes in the laws and emerging security trends affecting our clients, a multifaceted task that includes reading and digesting the statute as written along with studying the legal implications and impacts.

We must keep up with the directives made by the executive branch of government. Many times lawmakers craft broad legislation that is actually worded in a very vague manner and then leave it up to the individual agencies to form the policies that put the written law into practice.

There also are instances when the executive branch acts unilaterally to plug holes in previously written legislation and policy. A recent example of this is the Aug. 1, 2013, issuance of Presidential Executive Order Number 13650—Improving Chemical Facility Safety and Security. Even though there is the established body of law concerning the safety of chemical facilities, the president felt it was necessary to issue a new set of policies. Oftentimes, these executive orders fill gaps in legislation that are of a time-sensitive nature and can’t safely wait for the legislative branch to act upon.

Following the terrorist attacks of Sept. 11, 2001, Congress passed the Homeland Security Act, creating the Department of Homeland Security (DHS). One of the first things congress tasked DHS with was securing the nation’s critical infrastructure. In response, DHS crafted NIPP, the umbrella term representing the 16 individual Sector-Specific Plans (SSP), each corresponding to its associated sector of protection.

Laws affecting the safety and security of six major industries are discussed, giving a more complete understanding of the laws and the effects these laws have on the industry.

Chemical industry. Failure of security at these locations can lead to a catastrophic loss of capital through damage or destruction of expensive facilities as well as the potential for mass casualties of site personnel and innocent citizens living in their vicinities.

The Chemical Facility Anti-Terrorism Security Act (CFATS) is managed by the Department of Homeland Security, and sets up a safety certification regime for high risk chemical production and storage facilities. In addition, the NIPP Chemical Sector-Specific Plan of 2010 also governs the security of chemicalrelated facilities, and for the most part, mirrors most of the regulatory schemes laid out in CFATS.

Other legislative schemes are mainly those involved with the transportation of chemical components or feed stocks to and from either processing facilities or their final destinations with their customers. Some of these legal structures are:

• Maritime Transportation Security Act—DHS & Coast Guard;
• HM-232—DOT Rules Affecting Over-the-Road Transportation;
• Rail Transportation Security Final Rule—TSA; and
• Updated Pipeline Security Guidelines—TSA. In light of the continuing terrorism threat and the ever-present threat of large scale industrial accidents, regulation in this area is expected to steadily increase.

Financial industry. As the proverbial backbone of our economy, repercussions from a serious terrorism incident to a major financial institution would be swift and sweeping. A serious attack on one key component could lead to a catastrophic cascade of system-wide failures that could ultimately bring the nation’s financial sector and economy to a standstill.

In response, DHS, in coordination with the Financial and Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC), developed the Banking and Finance SSP. This policy was published in May of 2007 as part of the NIPP and details the identification, risk assessment, and plan development and implementation of the nation’s financial sector.

Medical industry. While it shares with other sectors that it is considered a soft target, medical facilities are unique because of their ubiquitous nature. Most large cities have several major hospitals that make protecting this sector quite difficult and costly.

There are multiple potentially dangerous elements kept in medical facilities including large quantities of drugs, biological agents, toxins, flammable gasses and radiological machinery that could be used to cause serious mayhem in the hands of terrorists.

In 2010, Department of Health and Human Services, in conjunction with the Healthcare and Public Health Coordinating Council, published the updated Healthcare and Public Health SSP. The major goals of this SSP are to identify assets, systems, and networks; assess risks; prioritize infrastructure; develop and implement protective programs and resilience strategies; and measure effectiveness.

Although these goals are somewhat interchangeable with other sectors, it is the size and scope of the related facilities that sets the financial sector apart. As the poster-child for soft target infrastructure and the emerging targeting of soft targets by terrorists, regulations involving security will naturally increase.

Distribution industry. It is not unusual for distribution facilities to have little to no visible security, with it being limited to fences and security guards at best. Because of this, the distribution industry could be considered the softest soft target. Of main concern is the food distribution sector.

Although it would be very difficult for terrorists to effectively adulterate a food product with a toxin, virus or dangerous bacteria, the results of a successful attack would be beyond catastrophic. The impact of public confidence would be of such a scope that it would likely lead to cascading effects throughout the economy.

These regulations are codified in the NIPP Food and Agriculture Site-Specific Plan of 2010, covering food defense and food safety. Food safety deals with keeping the food supply free from accidental contamination, while food defense refers to protection against intentional adulteration. A terrorist attack on the food supply would be virtually indistinguishable from an accidental contamination in its early stages, so from a security standpoint, preparation is the same.

While an attack on distribution is unlikely given the low probability of widespread effect, these facilities are extremely soft targets that would require much less planning, expertise and financial backing than an attack on a hardened location. Unlike some other sectors, it is unlikely that new legislation will be implemented in this sector at this time.

Detention and prison industry. Having the unique task of securing unauthorized outside entry while also securing those inside from getting out, there aren’t any well-known bodies of law mandating the types and levels of required security at prisons and detention facilities.

At the federal level, the main body of regulation is the National Institute for Corrections (NIC), which is tasked with creating, maintaining and updating accepted jail procedures for all federal detention facilities. At the state level, each state maintains its own procedures for its facilities.

Looking forward, there is no reason to think that there will be any significant adjustment to the accepted procedures in the detention industry, except, as the nation moves forward with the Global War on Terror (GWOT) and the potential closing of the terrorist detention facility at Guantanamo Bay, Cuba, there may be an increase in the number of high-value terrorist prisoners detained inside the continental United States. This would require an increased number of super-max facilities and an increase in security of the infrastructure from the outside and inside.

Laws and regulations governing security at critical infrastructure locations amass thousands of pages. Provided here is only a glimpse into the challenges facing our nation’s industries. As a whole, the body of laws and regulations will necessarily increase to keep up with known and emerging threats, while decision makers in each of these industries must rely on the wise counsel of others to keep abreast of these changes.

This article originally appeared in the April 2014 issue of Security Today.