Regulations that Affect Critical Infrastructure

  • By Ray Gilley
  • Apr 01, 2014

As the CEO of ISI Security, one of the most difficult and time-consuming aspects of my job is keeping up with the laws and regulations affecting my company. This is compounded by the fact that it’s also the job of my company to keep up with the evolutionary changes in the laws and emerging security trends affecting our clients, a multifaceted task that includes reading and digesting the statute as written along with studying the legal implications and impacts.

We must keep up with the directives made by the executive branch of government. Many times lawmakers craft broad legislation that is actually worded in a very vague manner and then leave it up to the individual agencies to form the policies that put the written law into practice.

There also are instances when the executive branch acts unilaterally to plug holes in previously written legislation and policy. A recent example of this is the Aug. 1, 2013, issuance of Presidential Executive Order Number 13650—Improving Chemical Facility Safety and Security. Even though there is the established body of law concerning the safety of chemical facilities, the president felt it was necessary to issue a new set of policies. Oftentimes, these executive orders fill gaps in legislation that are of a time-sensitive nature and can’t safely wait for the legislative branch to act upon.

Following the terrorist attacks of Sept. 11, 2001, Congress passed the Homeland Security Act, creating the Department of Homeland Security (DHS). One of the first things congress tasked DHS with was securing the nation’s critical infrastructure. In response, DHS crafted NIPP, the umbrella term representing the 16 individual Sector-Specific Plans (SSP), each corresponding to its associated sector of protection.

Laws affecting the safety and security of six major industries are discussed, giving a more complete understanding of the laws and the effects these laws have on the industry.

Chemical industry. Failure of security at these locations can lead to a catastrophic loss of capital through damage or destruction of expensive facilities as well as the potential for mass casualties of site personnel and innocent citizens living in their vicinities.

The Chemical Facility Anti-Terrorism Security Act (CFATS) is managed by the Department of Homeland Security, and sets up a safety certification regime for high risk chemical production and storage facilities. In addition, the NIPP Chemical Sector-Specific Plan of 2010 also governs the security of chemicalrelated facilities, and for the most part, mirrors most of the regulatory schemes laid out in CFATS.

Other legislative schemes are mainly those involved with the transportation of chemical components or feed stocks to and from either processing facilities or their final destinations with their customers. Some of these legal structures are:

  • Maritime Transportation Security Act—DHS & Coast Guard;
  • HM-232—DOT Rules Affecting Over-the-Road Transportation;
  • Rail Transportation Security Final Rule—TSA; and
  • Updated Pipeline Security Guidelines—TSA. In light of the continuing terrorism threat and the ever-present threat of large scale industrial accidents, regulation in this area is expected to steadily increase.

Financial industry. As the proverbial backbone of our economy, repercussions from a serious terrorism incident to a major financial institution would be swift and sweeping. A serious attack on one key component could lead to a catastrophic cascade of system-wide failures that could ultimately bring the nation’s financial sector and economy to a standstill.

In response, DHS, in coordination with the Financial and Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC), developed the Banking and Finance SSP. This policy was published in May of 2007 as part of the NIPP and details the identification, risk assessment, and plan development and implementation of the nation’s financial sector.

Medical industry. While it shares with other sectors that it is considered a soft target, medical facilities are unique because of their ubiquitous nature. Most large cities have several major hospitals that make protecting this sector quite difficult and costly.

There are multiple potentially dangerous elements kept in medical facilities including large quantities of drugs, biological agents, toxins, flammable gasses and radiological machinery that could be used to cause serious mayhem in the hands of terrorists.

In 2010, Department of Health and Human Services, in conjunction with the Healthcare and Public Health Coordinating Council, published the updated Healthcare and Public Health SSP. The major goals of this SSP are to identify assets, systems, and networks; assess risks; prioritize infrastructure; develop and implement protective programs and resilience strategies; and measure effectiveness.

Although these goals are somewhat interchangeable with other sectors, it is the size and scope of the related facilities that sets the financial sector apart. As the poster-child for soft target infrastructure and the emerging targeting of soft targets by terrorists, regulations involving security will naturally increase.

Distribution industry. It is not unusual for distribution facilities to have little to no visible security, with it being limited to fences and security guards at best. Because of this, the distribution industry could be considered the softest soft target. Of main concern is the food distribution sector.

Although it would be very difficult for terrorists to effectively adulterate a food product with a toxin, virus or dangerous bacteria, the results of a successful attack would be beyond catastrophic. The impact of public confidence would be of such a scope that it would likely lead to cascading effects throughout the economy.

These regulations are codified in the NIPP Food and Agriculture Site-Specific Plan of 2010, covering food defense and food safety. Food safety deals with keeping the food supply free from accidental contamination, while food defense refers to protection against intentional adulteration. A terrorist attack on the food supply would be virtually indistinguishable from an accidental contamination in its early stages, so from a security standpoint, preparation is the same.

While an attack on distribution is unlikely given the low probability of widespread effect, these facilities are extremely soft targets that would require much less planning, expertise and financial backing than an attack on a hardened location. Unlike some other sectors, it is unlikely that new legislation will be implemented in this sector at this time.

Detention and prison industry. Having the unique task of securing unauthorized outside entry while also securing those inside from getting out, there aren’t any well-known bodies of law mandating the types and levels of required security at prisons and detention facilities.

At the federal level, the main body of regulation is the National Institute for Corrections (NIC), which is tasked with creating, maintaining and updating accepted jail procedures for all federal detention facilities. At the state level, each state maintains its own procedures for its facilities.

Looking forward, there is no reason to think that there will be any significant adjustment to the accepted procedures in the detention industry, except, as the nation moves forward with the Global War on Terror (GWOT) and the potential closing of the terrorist detention facility at Guantanamo Bay, Cuba, there may be an increase in the number of high-value terrorist prisoners detained inside the continental United States. This would require an increased number of super-max facilities and an increase in security of the infrastructure from the outside and inside.

Laws and regulations governing security at critical infrastructure locations amass thousands of pages. Provided here is only a glimpse into the challenges facing our nation’s industries. As a whole, the body of laws and regulations will necessarily increase to keep up with known and emerging threats, while decision makers in each of these industries must rely on the wise counsel of others to keep abreast of these changes.

This article originally appeared in the April 2014 issue of Security Today.

Featured

  • The Next Generation

    Video security technology has reached an inflection point. With advancements in cloud infrastructure and internet bandwidth, hybrid cloud solutions can now deliver new capabilities and business opportunities for security professionals and their customers. Read Now

  • Help Your Customer Protect Themselves

    In the world of IT, insider threats are on a steep upward trajectory. The cost of these threats - including negligent and malicious employees that may steal authorized users’ credentials, rose from $8.3 million in 2018 to $16.2 million in 2023. Insider threats towards physical infrastructures often bleed into the realm of cybersecurity; for instance, consider an unauthorized user breaching a physical data center and plugging in a laptop to download and steal sensitive digital information. Read Now

  • Enhanced Situation Awareness

    Did someone break into the building? Maybe it is just an employee pulling an all-nighter. Or is it an actual perpetrator? Audio analytics, available in many AI-enabled cameras, can add context to what operators see on the screen, helping them validate assumptions. If a glass-break detection alert is received moments before seeing a person on camera, the added situational awareness makes the event more actionable. Read Now

  • Transformative Advances

    Over the past decade, machine learning has enabled transformative advances in physical security technology. We have seen some amazing progress in using machine learning algorithms to train computers to assess and improve computational processes. Although such tools are helpful for security and operations, machines are still far from being capable of thinking or acting like humans. They do, however, offer unique opportunities for teams to enhance security and productivity. Read Now

Most   Popular

Featured Cybersecurity

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3