No Clear Path for Plant Security

Despite the Bush Administration's recently restated call for mandatory chemical plant security legislation, a bill is unlikely to emerge soon from Congress due to reluctance of House Republican leaders.

On the Senate side, however, Homeland Security & Government Affairs Committee Chairman Susan M. Collins (R-Maine) and ranking minority member Sen. Joseph I. Lieberman (D-Conn.) vowed at a mid-June hearing to push ahead with a mandatory plant security bill. They intend to introduce a bill by September (C&EN, June 20, page 13).

On the same day as the Senate hearing, however, Rep. Christopher Cox (R-Calif.), House Homeland Security Committee chairman, and Rep. Daniel Lungren (R-Calif.), chairman of the Subcommittee on Economic Security, Infrastructure Protection & Cybersecurity, voiced doubts that chemical plants pose much of a terrorist threat and questioned if a bill is needed.

House committee staff tell C&EN that the Republican leadership wants a slower, more deliberate path to examine if a bill is even necessary, staff say.

The sharp difference between the two chambers means that chemical plant security will continue to be based on a voluntary program organized and overseen by chemical industry members of the American Chemistry Council (ACC) and a plant security effort getting under way at the Department of Homeland Security (DHS).

However, a former member of the industry team that drew up ACC's plant security plan years ago says both approaches are inadequate.

"It may be argued that inner-city liquor stores are better protected than facilities that manufacture and use highly toxic and lethal chemicals," said Sal DePasquale, a security consultant with the engineering consulting firm CH2M Hill and an instructor at Georgia State University. As security manager for Georgia-Pacific Corp. from 1997 to 2003, DePasquale was a member of the ACC committee that developed its plant security program.

Testifying at the House hearing, DePasquale said ACC and other industry-run security programs are "window dressing" and cannot deter an armed and dedicated assailant. He calls for a prescriptive, mandatory chemical plant security program requiring physical security tools such as armed guards and barriers similar to what is required at nuclear power plants. He also wants criminal penalties for corporate officers who fail to comply.

Without such actions he warned Congress of a "catastrophe that renders Sept. 11 pale in comparison."

DEPASQUALE ECHOES other security experts at a Senate hearing in April, who said the need for chemical plant security is real, urgent, and unmet. They blasted Congress and the Administration for failing to require plants to take mandatory security measures and warned that the U.S. is "target rich" with chemical plants offering a "vast menu of pre-positioned weapons" located in highly populated areas.

However, Martin Durbin, ACC managing director of security and operations, also testified to House members and sharply disagreed with DePasquale's assessment of ACC's program. "Our member companies are committed to doing all they reasonably can to enhance the security of their operations and products against those who would do us harm." He urged that ACC's program be expanded to include the rest of the chemical sector.

At the June hearings, DHS Assistant Secretary for Infrastructure Protection Robert B. Stephan backed the ACC program. But he said DHS needs the authority of mandatory chemical plant security legislation to close gaps in the current chemical plant security regime that consists of ACC's voluntary program, DHS's oversight, and a new mandatory security program run by the U.S. Coast Guard, which affects port-side manufacturers, many of which are chemical plants.

Stephan provided few details of what DHS wants, however, promising to work with Congress in the weeks ahead to draw up bill language. But he did present an overview of the Administration's efforts over the past two years and an outline of what it hopes to achieve.

The DHS program he described has drastically cut from earlier estimates the number of facilities that must take counterterrorism actions. In the 1990s, the Environmental Protection Agency determined that out of a universe of 66,000 chemical facilities, there were 15,000 chemical manufacturers and users that handled large quantities of 140 toxic and flammable chemicals. These facilities were required to develop "risk management plans."

A small part of the plans required companies to develop a "worst-case scenario," a hypothetical case in which all of the most lethal chemicals stored and used at the factory were released in 10 minutes.

The companies were required to model the leak's impact on people living nearby. The chemical industry opposed the requirement and successfully lobbied Congress and EPA to modify the law and to place restrictions on who can see the scenarios or publish information about them. However, the scenarios closely match what could be expected from a terrorist attack, say community groups and DePasquale.

Only one EPA report actually compared the impact of the scenarios. It found that a worst-case release from any of some 11,500 plants could have an impact on at least 1,000 residents, varying from a nuisance to death. A release from any of 7,500 plants could impact 10,000 or more residents, and a worst-case release from some 500 plants could affect a million people. And of these 500, 123 plants had the potential to injure or kill more than 1 million residents, according to EPA's analysis of the industry-supplied data.

Stephan said, however, that DHS has now reexamined the numbers and found that only about 3,400 plants need to take security actions. DHS has set the threshold of impact at 1,000 people, he said, and attributed the drop to errors in EPA's data, as well as redundancies, coverage by other security requirements, and a reexamination of the scenarios themselves. He also said a worst-case accident at the nation's most lethal chemical plant could kill 10,000 people and injure 40,000.

DHS DIVIDED the 3,400 facilities into three tiers and placed 3,100 in the lowest tier, according to DHS reports and interviews of DHS staff. These lowest tier plants will be allowed to conduct their own internal security assessments using a Web-based tool developed by the department.

The second tier includes about 300 plants where an attack could affect more than 50,000 people, and the top tier holds 10 or 12 plants that could injure or kill more than 500,000, says Michelle Petrovich, director of communications for DHS Information Analysis & Infrastructure Protection.

DHS personnel have conducted just 38 detailed chemical plant site visits in which DHS has actually gone inside the plant and physically examined its vulnerability and security, Stephan said. The department plans to visit another 50 high-risk plants in 2006, according to DHS information.

The department has visited all of the top-tier facilities, Stephan says. Also, most of the second-tier facilities have had to perform vulnerability assessments and take security actions, primarily through Coast Guard regulations, which have required some 238 chemical plants near ports to toughen security, Stephan said.

But 20% of the 3,100 facilities have fallen through the security gaps and have taken no security actions, he said, adding that in some cases DHS officials had been denied entry into plants. Hence, the need for legislation to give DHS new authority.

Like the DHS program, ACC's covers a much smaller universe of plants than the original EPA program, but it includes some 2,000 member-company plants.

ACC requires all 2,000 plants to conduct terrorist vulnerability assessments, but leaves it to the companies to determine if a threat exists and if action is merited. Some 1,030 member plants have taken some level of action. About 1,000 more are not covered by the EPA risk management program and have done a limited assessment.

What these plants have done has not been made public, but ACC estimates that member plants have spent about $2 billion since 2001 in assessments and security upgrades, which works out to $1 million per plant. While ACC touts its independent third-party program audit requirement, the audits only examine if firms did what they said was necessary. There is no independent audit of the assessments.

The program rests on "guidelines," DePasquale tells C&EN, and until substantive standards are issued by industry or the government, he concludes the ACC industrial security program is a failure. He warns that DHS and Congress are headed for difficulties if they use ACC's program as a model for a national security effort.

ACC began developing its member-run security plan before the Sept. 11 attacks to address concerns revealed through the EPA-required risk management plans, he notes. ACC's plan, he says, was intended to counter a disgruntled employee intent on sabotage, not an angry terrorist set on blowing up the plant or a chlorine-filled rail tanker. "We discussed requiring a minimum level of security standards for all companies that have toxic materials," he says, "but ACC was adamantly opposed to any prescriptive standard and stuck with the guidelines. Unfortunately, you can use the guidelines to come to the conclusion that you don't have to do anything."

DURBIN TELLS C&EN the vulnerability assessment tools used by member companies were finalized post-9/11 and were enlarged to counter terrorists. But he adds, "It was our hope that at the end of the day, the nation would have a regulatory structure in place to validate the vulnerability assessments." He points to the example of the Coast Guard port-side plant security program, which tracks some chemical plants.

Durbin charges that DePasquale's reliance on guards and force is misplaced for most chemical companies. "We have been reluctant to go down that road and say every facility has to have armed guards, like a nuclear plant. Most chemical plants have policies against on-site weapons due to safety concerns and fears that armed guards are just as likely to injure each other or employees as to keep an intruder out."

He accuses DePasquale of recommending a one-size-fits-all approach to security, which DePasquale denies.

"You must have sufficient physical security to intervene against an adversary before they can get to the target and blow it up and kill a bunch of people," DePasquale says. "How you decide to do it is your business--fences, guards, some mix." The mix includes phasing out toxic chemicals, he adds.

DePasquale discounts the value of surveillance programs and questions DHS's justification for lowering the number of covered plants and the impact of an attack. "To say only 10,000 people will die from a terrorist attack on a large chemical facility or a rail tanker of chlorine in a populated area is absurd."

"As it is now," DePasquale says, "an adversary with a six-shooter can defeat the security of most chemical facilities."