Chemical Plant Security Assessment: Prioritizing Facilities that Need to Be Protected

Chemical Plant Security Assessment: Prioritizing Facilities that Need to Be Protected

The security professional needs help from a process safety expert to understand and prioritize what needs to be protected on the site.

The chemical industry has been receiving continued media and government attention as having many facilities that could be terrorist targets. Unless exempt by statute or rule, chemical facilities that possess Appendix A Chemicals of Interest (COI) at the identified Screening Threshold Quantity (STQ) for any security issue must submit information for the Department of Homeland Security (DHS) review. Through an analytical review of facility COI, DHS determines a facility’s level of security risk.

About 34,000 facilities have submitted Top Screens for review by DHS, and 7,000 of those facilities were considered a High Level of Security Risk and are regulated as a "Covered Facility." The definition of “chemical facility” is very broad and could even include pool supply companies.

Security and Process Safety Experts
An evaluation of security vulnerability of any facility handling or storing hazardous chemicals requires a joint effort between a security professional and a chemical process safety professional. The security professional understands how to protect an installation -- for example, proper design of security fences and vehicle gates, intrusion detection systems, surveillance systems, site access control systems, security procedures, cyber security procedures, and proper training and qualification of security personnel.

But the security professional needs help from a process safety expert to understand and prioritize what needs to be protected on the site. The role of a process safety expert in a chemical plant security vulnerability analysis is to:

  • Understand the hazards of the materials handled or stored at the site, including acute toxicity, fire hazards, and explosion hazards.
  • Understand the ways that these hazards might be exploited by a terrorist -- for example, by release of a toxic material, fire or explosion, or theft or diversion of material for use in making explosives, bombs, or toxic materials that might be released elsewhere or used to contaminate water or food supplies.
  • Estimate the potential consequences of a loss of containment, fire, or explosion involving hazardous materials at a chemical site. This can include modeling of the consequences of material releases from a possible attack, such as releases of toxic materials or fires and explosions.
  • Based on consequence modeling, understand the potential impact of a terrorist attack on the plant and the surrounding community.
  • Understand how a facility might be attacked or sabotaged to release hazardous materials or cause fires or explosions.
  • Understand the effectiveness of process safety design features -- such as isolation valves, automatic shutdown systems, and emergency response equipment and procedures -- in mitigating the impacts of a release or process upset caused by a terrorist attack or equipment sabotage.
  • Help the security professional understand which specific facilities in the plant represent the most attractive potential terrorist targets, so that plant security resources can be directed to the areas presenting the greatest hazard.
  • Help to identify potential inherently safer design opportunities that could reduce the potential consequences of a terrorist attack and help to comply with local regulatory requirements for consideration of inherently safer technology, where these regulations exist.

Professional Societies and Industry Trade Groups
Professional societies and industry trade groups have responded to this concern by developing methodologies for security vulnerability assessment (SVA) for chemical handling facilities. The Center for Chemical Process Safety of the American Institute of Chemical Engineers developed and published a methodology for Security Vulnerability Analysis in 2003 ("Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites"). The American Chemistry Council (ACC) incorporated requirements for plant security into its Responsible Care® program, and the Society of Chemical Manufacturers and Affiliates, Inc. (SOCMA) also includes security as an element of its ChemStewards® program.

Federal Regulatory Response
There also have been federal regulatory responses, including:

  • Coast Guard: The United States Coast Guard requires a security assessment and plan for about 300 chemical facilities in port areas over which it has jurisdiction, as described in 33 CFR Part 105.
  • Homeland Security Appropriations Act of 2007: This act of Congress mandated that the secretary of the Department of Homeland Security establish risk-based performance standards for the security of high-risk chemical facilities within six months of the enactment of the act. Also mandated were the development of vulnerability assessments and the development and implementation of site security plans for high-risk chemical facilities. The Chemical Facility Anti-Terrorism Standards (CFATS) interim final rule (6 CFR Part 27) was created to fulfill the requirements of this act.
  • Interim Final Rule, Chemical Facility Anti-Terrorism Standards (CFATS), published April 9, 2007: After gathering and incorporating comments from individuals, trade associations, companies, and numerous other entities, the CFATS was published as an interim final rule. An essential part of this rule was a proposed Appendix A, or the list of Chemicals of Interest (COI) and the quantities of each COI that would require a chemical facility to complete and submit a Top Screen consequence assessment to DHS through the secure online Chemical Security Assessment Tool (CSAT).
  • Appendix A to CFATS, published Nov. 20, 2007: This list consists of approximately 300 Chemicals of Interest and their individual Screening Threshold Quantities. Any facility that possesses an Appendix A COI in a quantity at or above the listed STQ for any period of time is covered by the standard and must submit a Top Screen within 60 calendar days.
  • Clarification to Chemical Facility Anti-Terrorism Standards, propane, published March 21, 2008: This notice clarifies how certain provisions of the CFATS apply to the COI propane, which is understood by DHS to contain at least 87.5 percent of the chemical propane. Specifically, this notice clarifies the STQ and counting rules that apply to the COI propane.
  • Federal Register CSAT Registration Reminder, published April 25, 2007: DHS recommends that chemical facilities register to access the CSAT system. This is a voluntary registration process for facilities that think they may be covered by the Chemical Facility Anti-Terrorism Standards located in 6 CFR Part 27 and that would like to initiate the process to determine whether or not they are covered.
  • Risk-Based Performance Standards Guidance, published May 15, 2009: This guidance provides DHS' interpretations of the level of performance facilities in each of the risk-based tiers created by CFATS should strive to achieve under each Risk-Based Performance Standard (RBPS). It also seeks to help facilities comply with CFATS by describing in greater detail the 18 RBPSs enumerated in CFATS and by providing examples of various security measures and practices that could be selected to achieve the desired level of performance for each RBPS at each tier.
  • DHS request for comment on CFATS regulatory provisions for aboveground gasoline storage tanks, published Jan. 12, 2010: DHS invited public comment on issues related to certain regulatory provisions in the CFATS that apply to facilities storing gasoline in aboveground storage tanks. Written comments were to be submitted by March 15, 2010.

State Actions
Some states are considering taking action on their own. For example, on Nov. 29, 2005, New Jersey adopted mandatory security requirements for 140 chemical facilities in the state, including a requirement for security vulnerability analysis. For 43 of those 140 facilities -- those covered by the New Jersey Toxic Catastrophe Prevention Act -- the vulnerability analysis also must include a review of the potential benefits of adopting inherently safer technology.


  • Live From ISC West: Day 2 Recap

    If it’s even possible, Day 2 of ISC West in Las Vegas, Nevada, was even busier than the first. Remember to keep tabs on our Live From ISC West page for news and updates from the show floor at the Venetian, because there’s more news coming out than anyone could be expected to keep track of. Our Live From sponsors—NAPCO Security, Alibi Security, Vistacom, RGB Spectrum, and DoorKing—kept the momentum from Day 1 going with packed booths, happy hours, giveaways, product demonstrations, and more. Read Now

    • Industry Events
    • ISC West
  • Visiting Sin City

    I’m a recovering alcoholic, ten years sober this June. I almost wrote “recovered alcoholic,” because it’s a problem I’ve long since put to bed in every practical sense. But anyone who’s dealt with addiction knows that that part of your brain never goes away. You just learn to tell the difference between that insidious voice in your head and your actual internal monologue, and you get better at telling the other guy to shut up. Read Now

  • On My Way Out the Door

    To answer that one question I always get, at every booth visit, I have seen amazing product technology, solutions and above all else, the people that make it all work. Read Now

    • Industry Events
    • ISC West
  • Return to Form

    My first security trade show was in 2021. At the time, I was awed by the sheer magnitude of the event and the spectacle of products on display. But this was the first major trade show coming out of the pandemic, and the only commentary I heard was how low the attendance was. Two representatives from one booth even spent the last morning playing catch in the aisle with their giveaway stress balls. Read Now

    • Industry Events
    • ISC West

Featured Cybersecurity

New Products

  • BIO-key MobileAuth

    BIO-key MobileAuth

    BIO-key International has introduced its new mobile app, BIO-key MobileAuth™ with PalmPositive™ the latest among over sixteen strong authentication factors available for BIO-key's PortalGuard® Identity-as-a-Service (IDaaS) platform. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3

  • HID Signo Readers

    HID Signo Readers

    HID Global has announced its HID® Signo™ Biometric Reader 25B that is designed to capture and read fingerprints in real-world applications and conditions. 3