As we get closer to the RSA Conference in March, I want to highlight some of the topics scheduled to be part of the Physical Security and Critical Infrastructure track.  The subjects cover an array of issues from lock picking to the integrity of the electrical grid.  One topic that is gaining increasing attention is the security of chemical plants.  Given the potential terrorist applications of various chemical compounds and the always present danger of accidental release of harmful chemicals into our environment, it makes perfect sense that the topic would be on the radar.  In particular, attention has been drawn to the Chemical Facility Anti-Terrorism Standards (CFATS).  In his session, Jasvir Gill, CEO of AlertEnterprise, Inc., will talk about “how Security Convergence (between logical and physical security) can be enhanced with Control System Security as well. Th[e] session [will] show[] how using this approach is helping companies comply with CFATS (Chemical Facility Anti Terrorism Standards). Advanced software techniques can bridge the most overlooked gaps in security - blended threats that reside between security automation systems of all kinds reducing diversion of chemicals and theft of weapons grade material.” 

The Department of Homeland Security (DHS) issued the CFATS standard on April 9, 2007, based on a later congressional authorization through the Department of Homeland Security Appropriations Act of 2007.  According the DHS Web site, “Department requires all chemical facilities to comply with regulatory requirements as detailed in 6CFR27 (CFATS). The process includes completing a screening process or Top-Screen for potentially dangerous materials, identifying vulnerabilities through a security vulnerability assessment (SVA), and developing a site security plan (SSP).”  For those designated high risk, specific actions are required beyond an assessment, including the implementation of prescribed controls.  All facilities may be subjected to DHS inspections to insure that the risk levels reported are accurate and that any required controls are implemented.  Those sites deemed the highest risk will be subjected to inspections first and more frequently. The specific chemicals affected, the required or recommended protections, details about how to comply with the CFATS, and who it applies to can be found through links on the DHS Web site.  

The implications for information security are less clear as many of the protections deal with the actual handling of the chemicals.  However, it is implicit in the rule that information related to the kinds of chemicals stored at covered facilities, particular handling regimes, and the types of security implemented at the facility may not be appropriate for public dissemination.  Consequently, it is important that information security professionals that may advise or work for a chemical facility become intimately familiar with CFATS, as they may be called upon to assist in defining and implementing the needed information protections even if they are not specifically called out in the rule.  Mr. Gill’s session looks to be a fascinating examination of this area so vital to the safety of people all over the world who may be the target of terrorists seeking to inflict harm through the use of these chemicals.