​Just before Hurricane Harvey made landfall on Friday, August 25, 2017, chemical manufacturer Arkema made the decision to shut down its plant in Crosby, Texas, to brace for the storm. The plant soon lost power and received almost 40 inches of rain by Monday afternoon, causing heavy flooding that inundated its backup generators. A small crew of 11 people remained on site to monitor the storm damage and the safety of the organic peroxides that were stored at the plant.

These chemicals needed to be stored at a low temperature. But after the plant's backup generators were flooded, refrigeration failed. So, the crew transferred the chemicals from their current storage in warehouses into diesel-powered refrigerated containers and continued to monitor the situation—which worsened as the rain continued to pour down.

With the water continuing to rise, Arkema was forced to make another difficult decision: evacuate the plant and the 1.5-mile radius around it.

"Arkema is limited in what it can do to address the site conditions until the storm abates," the company said in a press release. "We are monitoring the temperature of each refrigeration container remotely. At this time, while we do not believe there is any imminent danger, the potential for a chemical reaction leading to a fire and/or explosion within the site confines is real."

To reduce the threat of an explosion injuring others, Arkema worked with the U.S. Department of Homeland Security (DHS) and the State of Texas to continue to monitor the situation. They soon realized that while the chemicals were not fully igniting as they began to warm up, they were beginning to degrade. To address the threat, Arkema decided to ignite the containers the chemicals were housed in to eliminate the threat of an uncontrolled blast.

 "This decision was made by Arkema Inc. in full coordination with unified command," the company said. "These measures do not pose any additional risk to the community, and both Arkema and members of the unified command believe this is the safest approach."

While the situation in Crosby was not ideal, it showed how facilities that manufacture, store, and transport chemicals in the United States are embracing a new mindset towards security and planning how to handle the worst-case scenario when it happens—whether it is a power outage or a terror attack.

One effort that's helping to spearhead this mindset is DHS's Chemical Facility Anti-Terrorism Standards (CFATS) program, which has sought to address and mitigate the threat of chemicals since its inception in 2007.

 "In 2007, chemical security was fairly new and people weren't really sure what it meant," says CFATS Acting Director Amy Graydon. "We've since been able to foster this environment of chemical security."

But that environment could be in danger if Congress does not reauthorize the CFATS program, which is set to expire in January 2019.

"We think that reauthorization is the key to reducing the threat of terrorists using chemicals," Graydon explains. "We think that the program has really reduced the risks and is an important element of making the country more secure."

CFATS Basics

In the 2007 DHS Approp­riations Act, Congress required the agency to create regulations that established risk-based performance standards for chemical facilities that present high levels of risk. DHS was also mandated to subject these facilities to vulnerability assessments and require them to develop and implement site security plans.

To do this, DHS worked with industry to create the CFATS program—which is part of its Infrastructure Security Compliance Division (ISCD). The program identifies and regulates facilities that possess chemicals of interest at specific concentrations and quantities.

These concentrations and quantities are listed in what's referred to as Appendix A of the CFATS regulation. More than 300 chemicals are included, along with their screening threshold quantities. The chemicals are also categorized into three groups depending on the potential security threat of the substances: release, theft or diversion, and sabotage.

Facilities that meet or exceed the screening threshold quantities for chemicals of interest listed in Appendix A are required to report their possessions to DHS via a questionnaire called a Top-Screen.

ISCD then reviews that Top-Screen and notifies facilities if they are considered high risk and ranks them into Tier 1, 2, 3, or 4—with Tier 1 the highest. As of February 2018, ISCD had received Top-Screens from more than 40,000 facilities and determined that roughly 3,500 of those are high risk and must comply with CFATS.

Facilities that are tiered then must submit a Security Vulnerability Assessment and a Site Security Plan, or an Alternative Security Plan, that meets risk-based performance standards detailed in the CFATS regulation. These standards address factors such as perimeter security, access control, personnel security, and cybersecurity. The stringency of the requirements varies based on what tier a facility falls into, and facilities can create their own security plans—rather than having CFATS create a prescriptive security plan for them.

Once the plans have been submitted, ISCD inspectors perform a facilities inspection before approving the plans for implementation.

This process has proved beneficial to facility operators, says Jennifer Gibson, vice president of regulatory affairs for the National Association of Chemical Distributors.

"Those visits, while cumbersome, allowed for a lot of back and forth, getting clarity on what the agency was looking for," Gibson explains. "Usually it turned out that a facility would make changes to its plan, based on that inspection."

After inspectors approve the plans, facilities are expected to implement them. If they do not, they can be ordered to cease operations or issued a civil fine, with a maximum penalty of $33,333 per day per violation, as of February 2018.

Facilities are also required to resubmit their Top-Screen if they have a change in holdings, such as using new chemicals of interest for business processes.

"It could be that they may need some other security measures because we look at the type of chemical and its risks," Graydon says. "So, for theft and diversion, we're worried that a terrorist could be intentionally trying to either steal or divert the chemical for misuse; whereas for release, it's that the terrorist would be coming to the facility to cause a release."

During its first five years, CFATS did not approve a single facility site security plan. But since then, it has made major strides and completely eliminated its backlog to move into the compliance phase of the program. Now, approximately 140 inspectors are visiting sites based on risk—there is no mandated requirement for how often inspections occur.

"We have the compliance inspection index, and it takes into consideration a facility's tier, the number of planned measures that a facility has, and the amount of time since the last inspection," Graydon says. "So, we can get to folks in an appropriate manner."

CFATS Changes

After CFATS was up and running, some members of Congress and the chemical sector expressed concerns about the program. Primarily, concerns centered around the "administrative burden associated with the development of facility security plans and the pace of DHS efforts to process and approve them," according to a U.S. Government Accountability Office (GAO) report.

Congress addressed these concerns by passing the Protecting and Securing Chemical Facilities from Terrorists Attacks Act in 2014. It reauthorized the CFATS program and created an Expedited Approval Program (EAP), a voluntary option for Tier 3 and 4 facilities regulated under CFATS.

The EAP allows DHS to identify specific security measures that meet the risk-based performance standards of CFATS that facilities must implement to be compliant.

For example, release facilities would have to certify that their emergency equipment included at least one of the following: a redundant radio system that's interoperable with law enforcement and first responders, at least one backup communications system, an emergency notification system, an automated control system or process safeguards to place critical assets in a "safe and stable condition," or emergency safe-shutdown procedures.

"The EAP is expected to reduce the time and burden on smaller chemical companies, which may lack the compliance infrastructure and resources of large chemical facilities," GAO said.

CFATS implemented the EAP in June 2015. But as of April 2017, GAO found that only two organizations of 2,496 eligible facilities had used the EAP.

"Officials representing the two EAP chemical facilities told us that their companies involve small operations that store a single chemical of interest on site and do not have staff with extensive experience or expertise in chemical security," GAO reported.

Representatives from the two facilities also said they used the EAP because it helped them reduce the time and cost to prepare and submit their site security plans.

"For example, the contractor who prepared the site security plan for one of the two EAP facilities said that the facility probably saved $2,500 to $3,500 in consulting fees by using the EAP instead of a standard security plan."

Ultimately, only one of these organizations followed through with the EAP process because the other was later re-tiered and no longer considered a high-risk facility subject to CFATS.

Since the GAO report was issued, 16 facilities have used the EAP and Graydon says she is optimistic that more facilities will use the program moving forward.

"We think that only two facilities might have taken advantage of the EAP program because of where all facilities were in the process already by the time it rolled out," she adds. "Most facilities had already completed their site security plans or their alternative security programs."

Graydon's sentiments echo GAO's analysis, which found that the timing of EAP's implementation, its prescriptive nature, the lack of an authorization inspection, and a certification form requirement may have initially hindered participation in the program.

"DHS conducts in-person authorization inspections to confirm that security plans address risks under the standard process, but does not conduct them under the expedited program," GAO said. "DHS officials noted that some facilities may prefer having this inspection because it provides them useful information."

Since the EAP's rollout, CFATS has made other changes to the program that might also affect participation. For instance, DHS updated the online tool that facilities use to send data to ISCD for their Top-Screen to make it a much more streamlined process.

"We really took the opportunity to streamline and bring it up into the 21st century so we were using smart tools with logic," Graydon says. "We were able to reduce some duplicative questions, reducing the time it would take people by 50 percent—down to six hours."

This streamlining effort cascaded throughout CFATS data collection processes, dropping the time it took to complete a security vulnerability assessment from 65 hours to 2.5 hours, and site security plans from 225 hours to 20 hours.

"We were able to do that because the reauthorization had given us the stability to move forward," Graydon says. "The reauthorization gave not only industry the stability it needed to make capital investments…it gave us the opportunity to make some internal changes as well."

CFATS also launched a re-tiering effort looking at 27,000 facilities' initial Top-Screens from 2007 and 2008, and asking them to resubmit. It then re-tiered some facilities by incorporating threat and vulnerability into the overall tiering methodology, which is not public.

"We refined what we were looking at, particularly for facilities for theft and diversion," Graydon says. "We were able to incorporate some inherent vulnerability in that." For instance, Graydon gave the example of looking at the portability of chemicals and taking that into account when determining the risk level for a facility.

"It would be easier to steal a vial than a big tank; we were able to model the actual amount of the chemicals…," and include them in the tiering methodology, Graydon adds.

In a recent hearing before the U.S. House Homeland Security Subcommittee on Cybersecurity & Infrastructure Protection, Chet Thompson—president of the American Fuel and Petrochemical Manufacturers—said the re-tiering effort was an improvement on the old system.

"Folks believe risks are being better assessed, and a number of our facilities have been re-tiered," he explained.

However, Kirsten Meskill, director of corporate security for BASF Corporation, testifying on behalf of the American Chemistry Council (ACC), said that while ACC has seen a reduction in higher-risk facilities under the re-tiering, there's still a lack of transparency in the process.

"We don't know how these risk tierings were applied to the general sites," she said, adding that—from her perspective—there was no way to know whether the new method is addressing "real risks out there."

To address this, panelists at the hearing suggested that the GAO be brought in to review the new CFATS tiering methodology and issue a report on its effectiveness.

​Future of CFATS

Despite some complaints about lack of transparency, all the panelists at the subcommittee hearing were in favor of reauthorizing the CFATS program.

"Any lapse in the program would be a serious concern to us," said Pete Mutschler, environment, health, and safety director for CHS Inc., adding that it would be "highly disruptive to both the industry and the regulated community" if CFATS were allowed to lapse and then be reinstated.

Mutschler said he was in favor of a multiyear reauthorization for CFATS to provide certainty to the regulated community so it can make "long-term investments" in security to comply with the program.

Doug Leigh, who serves as manager of legislative affairs for the National Association of Chemical Distributors, says that his members are also in favor of a lengthy reauthorization for the CFATS program.

"The last thing we want to see is a three-month reauthorization," Leigh says. "It would be going backwards instead of going forwards."

Graydon says she is optimistic about CFATS being reauthorized by Congress, due to its track record over the past several years in improving processes and reducing risk.

"We feel that we have demonstrated that we are a smart regulatory program—that we look for efficiencies," Graydon explains. "We are able to incorporate lessons learned, and we would like permanent or long-term reauthorization to make sure we have continued stability for industry and the program to continue to make efficiencies."

As of Security Management's press time, no member of Congress had introduced a bill to reauthorize the CFATS program.