Regulations that Affect Critical Infrastructure

As the CEO of ISI Security, one of the most difficult and time-consuming aspects of my job is keeping up with the laws and regulations affecting my company. This is compounded by the fact that it’s also the job of my company to keep up with the evolutionary changes in the laws and emerging security trends affecting our clients, a multifaceted task that includes reading and digesting the statute as written along with studying the legal implications and impacts.

We must keep up with the directives made by the executive branch of government. Many times lawmakers craft broad legislation that is actually worded in a very vague manner and then leave it up to the individual agencies to form the policies that put the written law into practice.

There also are instances when the executive branch acts unilaterally to plug holes in previously written legislation and policy. A recent example of this is the Aug. 1, 2013, issuance of Presidential Executive Order Number 13650—Improving Chemical Facility Safety and Security. Even though there is the established body of law concerning the safety of chemical facilities, the president felt it was necessary to issue a new set of policies. Oftentimes, these executive orders fill gaps in legislation that are of a time-sensitive nature and can’t safely wait for the legislative branch to act upon.

Following the terrorist attacks of Sept. 11, 2001, Congress passed the Homeland Security Act, creating the Department of Homeland Security (DHS). One of the first things congress tasked DHS with was securing the nation’s critical infrastructure. In response, DHS crafted NIPP, the umbrella term representing the 16 individual Sector-Specific Plans (SSP), each corresponding to its associated sector of protection.

Laws affecting the safety and security of six major industries are discussed, giving a more complete understanding of the laws and the effects these laws have on the industry.

Chemical industry. Failure of security at these locations can lead to a catastrophic loss of capital through damage or destruction of expensive facilities as well as the potential for mass casualties of site personnel and innocent citizens living in their vicinities.

The Chemical Facility Anti-Terrorism Security Act (CFATS) is managed by the Department of Homeland Security, and sets up a safety certification regime for high risk chemical production and storage facilities. In addition, the NIPP Chemical Sector-Specific Plan of 2010 also governs the security of chemicalrelated facilities, and for the most part, mirrors most of the regulatory schemes laid out in CFATS.

Other legislative schemes are mainly those involved with the transportation of chemical components or feed stocks to and from either processing facilities or their final destinations with their customers. Some of these legal structures are:

  • Maritime Transportation Security Act—DHS & Coast Guard;
  • HM-232—DOT Rules Affecting Over-the-Road Transportation;
  • Rail Transportation Security Final Rule—TSA; and
  • Updated Pipeline Security Guidelines—TSA. In light of the continuing terrorism threat and the ever-present threat of large scale industrial accidents, regulation in this area is expected to steadily increase.

Financial industry. As the proverbial backbone of our economy, repercussions from a serious terrorism incident to a major financial institution would be swift and sweeping. A serious attack on one key component could lead to a catastrophic cascade of system-wide failures that could ultimately bring the nation’s financial sector and economy to a standstill.

In response, DHS, in coordination with the Financial and Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC), developed the Banking and Finance SSP. This policy was published in May of 2007 as part of the NIPP and details the identification, risk assessment, and plan development and implementation of the nation’s financial sector.

Medical industry. While it shares with other sectors that it is considered a soft target, medical facilities are unique because of their ubiquitous nature. Most large cities have several major hospitals that make protecting this sector quite difficult and costly.

There are multiple potentially dangerous elements kept in medical facilities including large quantities of drugs, biological agents, toxins, flammable gasses and radiological machinery that could be used to cause serious mayhem in the hands of terrorists.

In 2010, Department of Health and Human Services, in conjunction with the Healthcare and Public Health Coordinating Council, published the updated Healthcare and Public Health SSP. The major goals of this SSP are to identify assets, systems, and networks; assess risks; prioritize infrastructure; develop and implement protective programs and resilience strategies; and measure effectiveness.

Although these goals are somewhat interchangeable with other sectors, it is the size and scope of the related facilities that sets the financial sector apart. As the poster-child for soft target infrastructure and the emerging targeting of soft targets by terrorists, regulations involving security will naturally increase.

Distribution industry. It is not unusual for distribution facilities to have little to no visible security, with it being limited to fences and security guards at best. Because of this, the distribution industry could be considered the softest soft target. Of main concern is the food distribution sector.

Although it would be very difficult for terrorists to effectively adulterate a food product with a toxin, virus or dangerous bacteria, the results of a successful attack would be beyond catastrophic. The impact of public confidence would be of such a scope that it would likely lead to cascading effects throughout the economy.

These regulations are codified in the NIPP Food and Agriculture Site-Specific Plan of 2010, covering food defense and food safety. Food safety deals with keeping the food supply free from accidental contamination, while food defense refers to protection against intentional adulteration. A terrorist attack on the food supply would be virtually indistinguishable from an accidental contamination in its early stages, so from a security standpoint, preparation is the same.

While an attack on distribution is unlikely given the low probability of widespread effect, these facilities are extremely soft targets that would require much less planning, expertise and financial backing than an attack on a hardened location. Unlike some other sectors, it is unlikely that new legislation will be implemented in this sector at this time.

Detention and prison industry. Having the unique task of securing unauthorized outside entry while also securing those inside from getting out, there aren’t any well-known bodies of law mandating the types and levels of required security at prisons and detention facilities.

At the federal level, the main body of regulation is the National Institute for Corrections (NIC), which is tasked with creating, maintaining and updating accepted jail procedures for all federal detention facilities. At the state level, each state maintains its own procedures for its facilities.

Looking forward, there is no reason to think that there will be any significant adjustment to the accepted procedures in the detention industry, except, as the nation moves forward with the Global War on Terror (GWOT) and the potential closing of the terrorist detention facility at Guantanamo Bay, Cuba, there may be an increase in the number of high-value terrorist prisoners detained inside the continental United States. This would require an increased number of super-max facilities and an increase in security of the infrastructure from the outside and inside.

Laws and regulations governing security at critical infrastructure locations amass thousands of pages. Provided here is only a glimpse into the challenges facing our nation’s industries. As a whole, the body of laws and regulations will necessarily increase to keep up with known and emerging threats, while decision makers in each of these industries must rely on the wise counsel of others to keep abreast of these changes.

This article originally appeared in the April 2014 issue of Security Today.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3