Announcement

Collapse
No announcement yet.

Calling All Consultants

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Calling All Consultants

    Opportunities are knocking for consultants due to new DHS regs that are coming in chemical-related industries...meaning not only chemical manufacturers, but up and down the chemical supply chain - a huge market.

    Bottom line - if companies handle or store "threshold" quantities of chemicals that are projected to be on the "DHS schedule", including many as common as acetone, chlorine and sodium nitrate, they are going to be required to have security site plans, vulnerability assessments, etc.

    Read this article from Industry Week.

    Here's what Security Management says:

    "Ever since the 1995 Oklahoma City bombing by Timothy McVeigh, Congress has worried about monitoring so-called "high risk" chemicals that could be exploited by terrorists to produce explosives or poison gases. After struggling for more than a decade to regulate such chemicals without unduly interrupting commerce, Congress delegated to the oversight responsibility to the Department of Homeland Security (DHS), which published interim regulations directing its Chemical Facility Anti-Terrorism standards in April 2007.

    The regulations define a "chemical facility" as any organization that owns a threshold quantity of chemicals labeled as potentially dangerous by DHS. Over 300 chemicals are listed in DHS' "Proposed Appendix A: DHS Chemicals of Interest," including acetone, chlorine, and sodium nitrate. Some of the chemicals on the list are commonly used in many industries. Once the final version of Appendix A is published, businesses that have threshold amounts of any of the chemicals listed will have two months to complete an online assessment using DHS' Chemical Security Assessment Tool.

    The appraisal will enable DHS to rank facilities into four risk-based tiers. Businesses that fall into one of the upper three tiers will then have to develop security site plans and conduct security vulnerability assessments."
    Last edited by SecTrainer; 10-20-2007, 11:17 AM.
    "Every betrayal begins with trust." - Brian Jacques

    "I can't predict the future, but I know that it'll be very weird." - Anonymous

    "There is nothing new under the sun." - Ecclesiastes 1:9

    "History, with all its volumes vast, hath but one page." - Lord Byron

  • #2
    I'll be curious to see who comes out of the woodwork to perform the security assessments and to prepare the security plan mandated by this regulation.

    This reminds me a little of the requirement that came out a few years back that mandated that water utilities over a certain size conduct threat and vulnerability assessments. The majority of the major engineering firms (CH2M Hill, URS, etc.) sent people to become certified in the approved assessment methodology (RAM-W) and suddenly became experts in security.

    Our firm pursued a number of these water utility projects and won a few, but the vast majority went to engineering firms with whom the water utility already had a relationship with. As it turned out, probably 90% of these type of assessments ended up being awarded to engineering firms rather than security consulting firms.

    The only consolation for me was, in a couple of instances, the water utilities called us back in to perform another security assessment after the mandated RAM-W assessment was completed by another firm. One client handed me his RAM-W report (about 3" thick) and said: "We can't understand what this report is saying; can you take a look at our facilities and tell use what we really need to do to make them more secure".
    Michael A. Silva
    Silva Consultants

    Comment


    • #3
      I likewise am curious as to the outcome. I would hazard a guess it will come with strings attached that only those in the chemical industry will do surveys seeing as how they will be the ones writing the survey format.
      Plant A will inspect Plant B and then six months later Plant B will inspect Plant A. The implication being, "If you don't hit me hard, I won't hit you hard."
      The US Navy did it for its shipyards until it became a farce. They created a separate security department who conducted the surveys/inspections with no particular format or system. When the shipyards started getting hit hard, the Navy abolished the security department.
      The FAA is both cheerleader and enforcer for the federal government. If the airlines did not like the actions of FAA's inspection arm they had their lobbyists petition congress and FAA was forced to back off. Former security chiefs are out there proudly wearing their scars. I know three of them, have for years.
      The same thing will happen to chemical inspections. Their lobbyists know how to ply the right member on the right committee or subcommittee and the proposed rules or regulations are dispensed with or watered down.
      Remember the government's trump card, "The regulation is there, but we thought you'd be mature enough to know we didn't want it enforced." When the agency is asked what would happen if you ignored the deficiency and a problem developed, the answer would be to probably terminate you or offer you specialized retraining with the provision of keeping your mouth shut!
      What is the opinion of experienced consultants with experience with the government?
      Enjoy the day,
      Bill

      Comment


      • #4
        Ditto - I am curious as a non-Seppo to see how this is planned out. Sydney's main water supply consists of a catchment area consisting of thousands of square miles of creeks, tributaries and the like and it was only last 2 years that it was being fenced around the main dam with CCTV on pumphouse and the like. Again H2o Engineers were sent back to class rooms and then suddenly qualified as Security Experts and heaven help us if it hits the fan with only limited security management in their operations. (oh wait it is government controlled so we have no money for that stuff).
        "Keep your friends close and your enemies even closer" Sun Tzu

        Comment


        • #5
          Great topic, SecTrainer.

          Some of our medical school/ tech clients have approached us about this reg. It will be interesting to see how it plays out over time.

          John
          "People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf." G. Orwell

          Comment


          • #6
            Originally posted by john_harrington View Post
            Great topic, SecTrainer.

            Some of our medical school/ tech clients have approached us about this reg. It will be interesting to see how it plays out over time.

            John
            John, for those of us who do not let the client influence our report writing, this is going to be an interesting exercise. For instance, what type of response do you think we'll get when we ask the question, "Do you look for explosive devices attached to railroad tank cars or truck tankers?" or "What would consider a suspicious device attached to a railroad tank car or truck tanker?" "If found, what are your security protocols?"
            John, this could be the opening of Pandora's Jar.
            Enjoy the day,
            Bill

            Comment


            • #7
              Cfats

              As a Security Advisor for a major integrated Oil and Gas Energy Company, I can tell you that the average Security Vulnerability Assessment (SVA) that most security consultants would conduct will not suffice to meet the requirements as set forth in the new CFATS regulations. A specific SVA methodology, which has been approved by DHS, will be the ONLY methodolgy acceptable. The only thing I will say about it is that the methodolgy is strictly a risk based approach.

              For those of you who think you are going to just pull an SVA template off the shelf and use it, will be greatly surprised (or disappointed) to know that DHS will not approve any SVA submitted using any other methodolgy than the one they have approved.

              I saw first hand what happened when the MTSA regulations were pushed out after 9-11 and every sort of security consultant came out of the wood work and thought they new how to do SVA's. I'm here to tell you that the consultants who know how to conduct a thorough risk based SVA are few and far between.

              Why would a company pay $20,000 - $30,000 for an SVA that will not even get approved by DHS? Bottom line...you better do your home work before you jump off into an area that you know very little about.

              Comment


              • #8
                Girls and boys, correct me if I am wrong, but for the most part aren't security surveys driven by sensitivity, criticality and vulnerability based on credible and postulated threats against persons, places or things? What does existing intelligence tell us about the place and mission we are surveying?
                I've had clients develop guides or formats and I sit down with them and go over each and every item in the guide as to their and my understanding of the wording.
                Example: Do you store fuel in this building? They understood the answer should be no in most of the facilities I would visit. I asked, if they have emergency generators in the building, is there a 25-gallon storage tank in the proximity of the prime mover? The answer was yes, followed by "we didn't think about that."
                Will my understanding of your intent be the same as mine or will there be any differences, subtle or obvious?
                Enjoy the day,
                Bill

                Comment


                • #9
                  Bill I think you again summed it up quite well - people just don't think outside their own arenas. I don't know whether it is ignorance, arrogance or a combination of both plus a bit more of stupidity. I guess I could sum it all up in 1 word ....... "TITANIC". It was because of ignorance, arrogance and stupidity that this ship sank to the bottom of the ocean.
                  "Keep your friends close and your enemies even closer" Sun Tzu

                  Comment


                  • #10
                    Originally posted by NRM_Oz View Post
                    Bill I think you again summed it up quite well - people just don't think outside their own arenas. I don't know whether it is ignorance, arrogance or a combination of both plus a bit more of stupidity. I guess I could sum it all up in 1 word ....... "TITANIC". It was because of ignorance, arrogance and stupidity that this ship sank to the bottom of the ocean.
                    NRM_Oz, thank you for your kind remarks. I just think it is a supreme shame when a consultant puts on blinders when in the conduct of a survey. We have to think outside the proverbial box and challenge ourselves as well as the client to always ask and think, "What if, what if?
                    Enjoy the day,
                    Bill

                    Comment


                    • #11
                      Originally posted by mdb View Post
                      As a Security Advisor for a major integrated Oil and Gas Energy Company, I can tell you that the average Security Vulnerability Assessment (SVA) that most security consultants would conduct will not suffice to meet the requirements as set forth in the new CFATS regulations. A specific SVA methodology, which has been approved by DHS, will be the ONLY methodolgy acceptable. The only thing I will say about it is that the methodolgy is strictly a risk based approach.

                      For those of you who think you are going to just pull an SVA template off the shelf and use it, will be greatly surprised (or disappointed) to know that DHS will not approve any SVA submitted using any other methodolgy than the one they have approved.

                      I saw first hand what happened when the MTSA regulations were pushed out after 9-11 and every sort of security consultant came out of the wood work and thought they new how to do SVA's. I'm here to tell you that the consultants who know how to conduct a thorough risk based SVA are few and far between.

                      Why would a company pay $20,000 - $30,000 for an SVA that will not even get approved by DHS? Bottom line...you better do your home work before you jump off into an area that you know very little about.
                      And, as a matter of professional integrity, it is worth noting that whether there are DHS regulations involved or not, all security surveys, RMAs, etc. should be anchored to the operational features, special considerations, regulatory environment, etc. which are specific to the industry in which the client is engaged. In other words, you can't do a proper security or risk analysis without having some industry expertise as well. For consultants who are "general practitioners", this requirement can be met by including an industry expert somewhere in your survey process...if even just to review and comment on your results before they go to the client.

                      Of course, where there *are* stringent requirements such as those mentioned above, such must be carefully understood and the industry expert you include on the survey team would obviously play a much bigger role in the total process. There are a number of ways to find industry experts in almost any field who practice independently and who would consider teaming up with you on a project that might be beyond your own internal expertise.
                      Last edited by SecTrainer; 10-24-2007, 01:16 PM.
                      "Every betrayal begins with trust." - Brian Jacques

                      "I can't predict the future, but I know that it'll be very weird." - Anonymous

                      "There is nothing new under the sun." - Ecclesiastes 1:9

                      "History, with all its volumes vast, hath but one page." - Lord Byron

                      Comment


                      • #12
                        Where I was working before in another p/t project, it was dealing with HAZMAT (aka Hazardous Materials). I knew basically what requirements were but I engaged a Chemical Engineer who knew the exact requirements for the safe storage, etc of the chemicals used. We also had to be audited by the HAZMAT unit of the our Firebrigade to ensure they KNEW what was exactly onsite, the likelihood of amounts and above all the WHERE it was stored and HOW it was stored.

                        I could never have conducted the project successfully without this experts knowledge and experience and I advised my clients of the outcome only for them to understand my limitations, but were pleased to see me advise them of my shortfalls BEFORE the project commenced. It was completed without fuss and it was successful but sometimes we need to admit "hey I don't know everything".
                        "Keep your friends close and your enemies even closer" Sun Tzu

                        Comment


                        • #13
                          Please take a look at ASME's site-
                          http://www.asme-iti.org/RAMCAP/ then click on news.

                          They are working with DHS on the methodology as I read and understand it. We have had discussions with them. Training will not be available until January.

                          John
                          "People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf." G. Orwell

                          Comment

                          Leaderboard

                          Collapse
                          Working...
                          X