Regulations that Affect Critical Infrastructure
- By Ray Gilley
- Apr 01, 2014
As the CEO of ISI Security, one of the most
difficult and time-consuming aspects of my
job is keeping up with the laws and regulations
affecting my company. This is compounded by
the fact that it’s also the job of my company to keep
up with the evolutionary changes in the laws and
emerging security trends affecting our clients, a multifaceted
task that includes reading and digesting the
statute as written along with studying the legal implications
We must keep up with the directives made by the
executive branch of government. Many times lawmakers
craft broad legislation that is actually worded
in a very vague manner and then leave it up to the
individual agencies to form the policies that put the
written law into practice.
There also are instances when the executive branch
acts unilaterally to plug holes in previously written
legislation and policy. A recent example of this is the
Aug. 1, 2013, issuance of Presidential Executive Order
Number 13650—Improving Chemical Facility Safety
and Security. Even though there is the established body
of law concerning the safety of chemical facilities, the
president felt it was necessary to issue a new set of
policies. Oftentimes, these executive orders fill gaps in
legislation that are of a time-sensitive nature and can’t
safely wait for the legislative branch to act upon.
Following the terrorist attacks of Sept. 11, 2001,
Congress passed the Homeland Security Act, creating
the Department of Homeland Security (DHS). One
of the first things congress tasked DHS with was securing
the nation’s critical infrastructure. In response,
DHS crafted NIPP, the umbrella term representing
the 16 individual Sector-Specific Plans (SSP), each
corresponding to its associated sector of protection.
Laws affecting the safety and security of six major
industries are discussed, giving a more complete understanding
of the laws and the effects these laws have
on the industry.
Chemical industry. Failure of security at these
locations can lead to a catastrophic loss of capital
through damage or destruction of expensive facilities
as well as the potential for mass casualties of site personnel
and innocent citizens living in their vicinities.
The Chemical Facility Anti-Terrorism Security Act
(CFATS) is managed by the Department of Homeland
Security, and sets up a safety certification regime
for high risk chemical production and storage facilities.
In addition, the NIPP Chemical Sector-Specific
Plan of 2010 also governs the security of chemicalrelated
facilities, and for the most part, mirrors most
of the regulatory schemes laid out in CFATS.
Other legislative schemes are mainly those involved
with the transportation of chemical components or
feed stocks to and from either processing facilities or
their final destinations with their customers. Some of
these legal structures are:
- Maritime Transportation Security Act—DHS &
- HM-232—DOT Rules Affecting Over-the-Road
- Rail Transportation Security Final Rule—TSA;
- Updated Pipeline Security Guidelines—TSA.
In light of the continuing terrorism threat and the
ever-present threat of large scale industrial accidents,
regulation in this area is expected to steadily increase.
Financial industry. As the proverbial backbone of
our economy, repercussions from a serious terrorism
incident to a major financial institution would
be swift and sweeping. A serious attack on one key
component could lead to a catastrophic cascade of
system-wide failures that could ultimately bring the
nation’s financial sector and economy to a standstill.
In response, DHS, in coordination with the Financial
and Banking Information Infrastructure Committee
(FBIIC) and the Financial Services Sector Coordinating
Council (FSSCC), developed the Banking
and Finance SSP. This policy was published in May
of 2007 as part of the NIPP and details the identification,
risk assessment, and plan development and
implementation of the nation’s financial sector.
Medical industry. While it shares with other sectors
that it is considered a soft target, medical facilities are
unique because of their ubiquitous nature. Most large
cities have several major hospitals that make protecting
this sector quite difficult and costly.
There are multiple potentially dangerous elements
kept in medical facilities including large quantities of
drugs, biological agents, toxins, flammable gasses and
radiological machinery that could be used to cause serious
mayhem in the hands of terrorists.
In 2010, Department of Health and Human Services,
in conjunction with the Healthcare and Public
Health Coordinating Council, published the updated
Healthcare and Public Health SSP. The major goals
of this SSP are to identify assets, systems, and networks;
assess risks; prioritize infrastructure; develop
and implement protective programs and resilience
strategies; and measure effectiveness.
Although these goals are somewhat interchangeable
with other sectors, it is the size and scope of the
related facilities that sets the financial sector apart. As
the poster-child for soft target infrastructure and the
emerging targeting of soft targets by terrorists, regulations
involving security will naturally increase.
Distribution industry. It is not unusual for distribution
facilities to have little to no visible security, with
it being limited to fences and security guards at best.
Because of this, the distribution industry could be
considered the softest soft target.
Of main concern is the food distribution sector.
Although it would be very difficult for terrorists to effectively
adulterate a food product with a toxin, virus
or dangerous bacteria, the results of a successful attack
would be beyond catastrophic. The impact of public
confidence would be of such a scope that it would likely
lead to cascading effects throughout the economy.
These regulations are codified in the NIPP Food
and Agriculture Site-Specific Plan of 2010, covering
food defense and food safety. Food safety deals with
keeping the food supply free from accidental contamination,
while food defense refers to protection against
intentional adulteration. A terrorist attack on the
food supply would be virtually indistinguishable from
an accidental contamination in its early stages, so
from a security standpoint, preparation is the same.
While an attack on distribution is unlikely given
the low probability of widespread effect, these facilities
are extremely soft targets that would require much
less planning, expertise and financial backing than an
attack on a hardened location. Unlike some other sectors,
it is unlikely that new legislation will be implemented
in this sector at this time.
Detention and prison industry. Having the unique
task of securing unauthorized outside entry while
also securing those inside from getting out, there
aren’t any well-known bodies of law mandating the
types and levels of required security at prisons and
At the federal level, the main body of regulation is
the National Institute for Corrections (NIC), which
is tasked with creating, maintaining and updating
accepted jail procedures for all federal detention facilities.
At the state level, each state maintains its own
procedures for its facilities.
Looking forward, there is no reason to think that
there will be any significant adjustment to the accepted
procedures in the detention industry, except, as the
nation moves forward with the Global War on Terror
(GWOT) and the potential closing of the terrorist detention
facility at Guantanamo Bay, Cuba, there may
be an increase in the number of high-value terrorist
prisoners detained inside the continental United
States. This would require an increased number of
super-max facilities and an increase in security of the
infrastructure from the outside and inside.
Laws and regulations governing security at critical
infrastructure locations amass thousands of pages.
Provided here is only a glimpse into the challenges
facing our nation’s industries. As a whole, the body
of laws and regulations will necessarily increase to
keep up with known and emerging threats, while decision
makers in each of these industries must rely
on the wise counsel of others to keep abreast of
This article originally appeared in the April 2014 issue of Security Today.
Ray Gilley is the president and CEO of ISI Security.