Distilled Protection
LATE ONE EVENING at an industrial gas manufacturing facility, two intruders scaled the perimeter fence and got onto the property, taking care to shield their faces from a surveillance camera affixed to the fence line. Their concern was apparently being identified after the fact, not being caught in the act of trespassing or committing other crimes they might have been considering.
What they didn’t know was that hundreds of miles away, at the company’s corporate headquarters, officers in the security command center had been alerted when the plant’s new perimeter passive infrared and video motion detection systems were breached. The company notified local law enforcement, while continuing to monitor the intruders via the on-site cameras. The activity was also being recorded.
Not wishing to risk damage to or theft from the facility, command center personnel used a loudspeaker to let the intruders know that they had been detected and were being observed. Security advised them to leave the plant before law enforcement arrived. Alarmed at the disembodied voice, the intruders fled. They were subsequently identified and arrested by local police.
“It was a good example of how a security system is supposed to work,” says Bill Koch, global director of process safety integrity at Air Products and Chemicals, Inc. (Air Products), the company where the intrusion took place.
“The old concept of security at a chemical facility was guards, gates, and alarms,” he says. “Now we are using electronic technology to secure our sites with layers of protection that are proving extremely effective.”
Koch says that the electronic alarms and surveillance capabilities have made it possible for Air Products to eliminate theft of gas cylinders at its U.S. facilities, a problem before the systems were installed about three years ago.
Air Products manufactures atmospheric gases, process and specialty gases, performance materials, and chemical intermediates. Its operations span approximately 650 manufacturing and storage facilities worldwide.
Recognizing the changing threat landscape after 9-11, management decided in 2002 that the company needed to build “a truly sustainable security culture,” explains Koch. To that end, top management issued directives to managers and all employees to regard security issues with the same level of importance as safety, which has always been a high priority at the company. At about this time, the American Chemistry Council adopted the Responsible Care Security Code (the code), containing 13 management practices to assist its members in assessing and strengthening their security programs. Air Products decided that it would use that code as its guide.
Koch, along with Larry Piotti, Air Products’ manager of corporate security, was assigned to implement the code. The duo assembled a global team that cut across departments and identified four functional areas where they believed potential vulnerabilities might exist: people, operations, transactions, and information technology.
People
Air Products has almost 20,000 workers taking nearly 12,000 international trips annually to 62 different countries. Clearly, the protection of personnel must be a major consideration.
In examining work force risks, the team determined that one vulnerability was in employee tracking. It took Air Products several days to account for all of its global employees after 9-11, for example.
The company addressed the problem by working with Rosenbluth Travel, and later American Express, to develop a worldwide employee-tracking system. It allows the company to locate and contact employees quickly in the event of an elevated terrorist threat or other emergency. Once contact has been made, the company can give the employee travel advisories or other security instructions for responding to the threat situation at hand.
The assessment also showed that better controls over who entered the property would reduce potential vulnerabilities that might be posed by contractors, customers, and neighbors living in areas where Air Products manufactures its products. To that end, Air Products has instituted a global ID card requirement for employees, contractors, and site visitors, and it has also reduced the number of contractors it uses.
With regard to the potential risk posed by insiders, Air Products had been conducting background checks on employees since 1999. But since employees and contractors manufacture and transport significant quantities of industrial gases and chemicals that could be diverted to improper purposes or could be otherwise compromised, the security team recommended an expansion of the preemployment background program to include additional checks on employees, as well as background screening of contractors and transporters.
The screening program now requires criminal background checks for each contractor employee who will work with Air Products, rejecting any who do not meet the necessary criteria. At one site, a resident contractor with 85 employees had 11 workers to whom Air Products denied access because of the new background check system.
Operations
The Air Products team also examined potential vulnerabilities in global operations, looking specifically at manufacturing facilities, warehouses, transport vehicles, and pipelines. To supplement physical security already in place—fences, gates, patrols, and access controls—the team recommended improved surveillance capabilities, which led to the installation of the system that helped nab the intruders mentioned at the beginning of the article.
The system consists of cameras, alarms, and various types of sensors, all feeding back to the central security command center. The center is located in Air Products’ Allentown, Pennsylvania, headquarters and is staffed around the clock by 16 trained security professionals.
Covenant Security Services of Philadelphia provides the security officers who staff the center and patrol company properties. Installation of equipment at all North American sites was handled by Unlimited Technology of Chester Springs, Pennsylvania.
Incident reporting. Piotti and Koch agree that one of the most valuable security improvements implemented across the company is a global security-incident reporting system, instituted in the fourth quarter of 2002 and accessible to all employees via the company intranet. Previously, employees had to phone the security department to report an incident. Now any employee can report an incident on an electronic template and submit it via e-mail to the security department. The department investigates every report, and it has received virtually no false reports.
In reviewing aggregate data coming from the system when it was first put in place, Koch noticed more suspicious activity at Air Products facilities than previously realized, such as potential thefts. The number of incidents hadn’t necessarily increased, but the introduction of the new reporting system had heightened employee awareness of security, resulting in an increase in reporting.
Employees and security staff generated 109 suspicious activity reports in 2004. “We found out a lot from our own employees through the use of this database, which allows us to review issues and take proactive measures,” Koch notes.
“And now we work directly with the Department of Homeland Security (DHS), FBI, and local law enforcement, to investigate suspicious activity we might not have been made aware of,” he says.
Transactions
According to the cross-functional team, product transactions might also be exploited by terrorists, who might assume the identity of a bona fide purchaser to try to obtain dangerous chemicals for illicit use. Air Products scrutinized its operations to see how it could reduce that threat.
Using guidance and approaches developed to support the international Chemical Weapons Convention, the FBI weapons of mass destruction prevention programs, and programs run by the Drug Enforcement Administration, in combination with the company’s hazardous chemicals list, Air Products created its own “Chemicals of Concern” (COC) product listing. This listing includes any material that could be used as a weapon of “mass effect,” as a precursor of a weapon of mass effect, or in the manufacture of illegal drugs.
The company uses this internal guidance list as a screening tool when conducting business as part of the customer qualification process. “We now examine all our transactions with 100,000 customers worldwide,” explains Koch. “And if a customer can’t prove a legal use or provide adequate security for sensitive products, we don’t sell to them.”
Of course, there is always the chance that a customer may falsely assert a legitimate use or adequate security for sensitive products. Various measures are in place to make sure that doesn’t happen.
For example, “know your customer” programs in the industry require that companies acquire certain types of data about customers. Customers must also answer a series of questions depending on the product they are seeking to purchase. Depending on their answers and their relationship with the company, Air Products might send a representative from corporate security to visit the customer’s site.
Parallel security teams in Europe and Asia are charged with the secure stewardship of products sold overseas. The COC listing is also integrated into the company’s computer system. If a customer orders an item from the COC list, the computer system places the order in a special queue, and the order receives increased attention and review in the customer qualification process.
Information Technology
Increased reliance on automated systems from process control to financial transactions makes IT systems tempting targets at any organization. Recognizing potential IT vulnerabilities, the team implemented security programs that address everything from process controls and safety systems at plants to data systems that might be subject to intellectual property intrusions and information theft.
Piotti points out that the increased reliance of business operations on IT systems also means that virtually every security investigation now has a cyber aspect to it. Recognizing that there may be little if any distinction between physical and cyber security, the company's physical security and IT security groups work closely together as an integrated corporate security team.
DHS Support
DHS has supported security improvement efforts for companies in the chemical sector by providing grants to local first responders that assist in creating secure “buffer zones” around facilities. For example, DHS grants have funded regular patrols and surveillance by local law enforcement outside the perimeter of Air Products’ properties. These additional layers of protection supplement what Air Products has done on its properties and increase the likelihood that any terrorists would be identified before they actually penetrated the facility perimeter.
Results
The many measures implemented since 9-11 encountered some resistance at first. For example, Koch acknowledges challenges early on, with some managers concerned about the costs associated with additional security measures, such as contractor screening. “But when they begin to see a measurable reduction in theft and vandalism, which has a positive impact on the bottom line, they buy in,” Koch says. As a result, the security initiatives are now widely supported by staff.
Moreover, employees are now an active part of the company’s security system and are encouraged to report potential or actual security incidents as they have always done with safety incidents. “We see employees treating security with the same high priority as safety,” he says.
Security upgrades are often costly, and so it was in this case. But, DHS Chemical Section Chief Steven G. King, CPP, who has visited Air Products to verify the security systems, says that it’s making a difference.
“Air Products has dramatically improved security at their facilities around the world,” he notes. “In my opinion, they are creating a model for security that others in the compressed gas industry should look to.”
Dorothy Kellogg is senior director of security and operations at the American Chemistry Council.
Kate McGloon is the council’s director of communications.
The Responsible Care Security Code is a registered trademark.
