The best way to determine how to meet regulatory requirements is to conduct a thorough risk analysis and any gaps should be analyzed and resolved over time. The organization should work with its security partners and consultants to find technology-based solutions to the security gaps wherever possible.
The petrochemical industry produces organic intermediate refinery products such as natural gas, plastic, rubber, and fiber raw materials. While it sometimes gets a bad reputation when pipelines leak or oil refineries catch fire, the truth is petrochemicals are central to much of the world鈥檚 goods 鈥 just about everything not made of metal, wood or other living material relies on the petrochemical industry, from plastic to cosmetics to computers.
In addition to the risk of natural disasters, there are three major concerns for security personnel in the petrochemical field:
? Internal security risk such as intellectual property theft, or information on locations of reserves of oil and natural gas;
? The cost of complying with regulations, particularly in the U.S., has increased; and
? Safety issues. For example, at one electric facility, a contractor died while on-site, largely because they were not tracking people in and out of the facility it went unnoticed.
The petrochemical industry is one of the most highly regulated in the U.S. After 9/11 the government increased control of access to chemicals due to concerns over weapons of mass destruction. Laws were passed to limit access in the U.S. as well as shipment. The Maritime Transportation Security Act (MTSA) of 2002 focused on sectors of the maritime industry that have a higher risk of involvement in a transportation security incident, including tank vessels, barges, cargo vessels, offshore oil and gas platforms, and port facilities that handle certain kinds of dangerous cargo. MTSA restricts import and export and is regulated by the coast guard.
But that is just one of the regulations the petrochemical industry is subject to. When it comes to security, this industry has many special situations and needs. Here are some of the biggest challenges and suggestions for this unique and often high-risk energy sector.
MAIN CHALLENGES
Petrochemical facilities require large spaces and are usually geographically spread out, with many varying identities they have to manage. They can be national or even global in scope and rely heavily on outside contractors, requiring the need to manage outside identities as well as internal employees.
In addition, they often have numerous and diverse facilities that are both manned and unmanned, demanding a higher level of security to secure their complicated infrastructure. Beyond physically securing their facilities, petrochemical companies have to ensure that access to high-risk facilities is tightly controlled and only personnel with a valid reason and the relevant training and security checks have access to these areas.
Controlling access to the high-risk areas of these facilities can be extremely challenging and today is often still done manually, with the relevant data dispersed across many different systems, creating a time-consuming process that is highly susceptible to errors.
Of course, the biggest challenge many petrochemical facilities face today is keeping up with the constantly changing regulations, which are getting too complex to be handled manually. And the consequences are dire. Imagine, if an oil pipeline is compromised it could bring down the energy grid, which is why these regulations have real teeth and can cause significant disruption and pain to any facility found to not comply.
PRIMARY REGULATIONS
In addition to the MTSA mentioned above, two main regulations in the petrochemical industry are the Chemical Facility Anti-Terrorism Standards (CFATS) and the Toxic Substances Control Act (TSCA). CFATS is subject to oversight from the DHS and TSCA is overseen by the EPA.
According to the DHS website, 鈥淐FATS is the nation鈥檚 first regulatory program focused specifically on security at high-risk chemical facilities. The Cybersecurity and Infrastructure Security Agency (CISA) manages the CFATS program by working with facilities to ensure they have security measures in place to reduce the risks associated with certain hazardous chemicals and prevent them from being exploited in a terrorist attack.鈥
Through the CFATS process, DHS determines whether or not a facility is high-risk; assigns the facility a tier level of 1, 2, 3, or 4 with tier 1 representing the highest-risk; and reviews and approves the facility鈥檚 security plan. DHS then conducts ongoing compliance inspections to ensure that a facility continues to fully implement the existing and planned security measures in their approved Site Security Plan (SSP) or Alternative Security Program (ASP).
According to the EPA website, 鈥淭he Toxic Substances Control Act of 1976 provides EPA with authority to require reporting, record-keeping, and testing requirements, and restrictions relating to chemical substances and/or mixtures.鈥 TSCA also requires those importing or exporting chemicals to comply with certification reporting and/or other requirements.
Then there is also the North American Electric Reliability Corporation鈥檚 NERC CIP, a collection of standards and requirements covering the security of electronic perimeters and the protection of critical cyber assets that applies to all energy companies.
With most of these regulations, there are multiple risks associated with being out of compliance. First, there are financial risks due to a fine or penalty. A major CFATS infraction, for example, could cost an organization up to $10,000 per day until it is resolved.
Organizations must also consider the risk to their reputation if they were to be the subject of a major security breach or terrorist incident. The cost to the company鈥檚 brand or reputation could far surpass any financial penalties.
SECURING PETROCHEMICAL SITES
The best way to determine how to meet these regulatory requirements is to work closely with the regulatory authority and interact with peers in the industry to ensure a clear understanding of the intent of the regulations. A thorough risk analysis should be conducted and any gaps should be analyzed and resolved over time. The organization should work with its security partners and consultants to find technology-based solutions to the security gaps wherever possible.
Often these regulations are too complex to be managed manually. Technology can play a critical role in easing that burden.
For their part, security companies have started to realize that their customers need a partner to work with them on an ongoing basis to implement and refine their overall solution over time. Instead of just providing a product, security companies can take more of a consultative approach with the customer, analyzing their current processes and pain points, then partnering with the organization to create a viable plan to close any gaps over time. A good partner will look at all of the operational aspects of the business (the entire portfolio). They will understand the efficiencies, inefficiencies, challenges, pain points, and threats, and after a solid understanding of the business operation(s), a good partner will develop a security program that will bring safety, security, and additional operational efficiencies to the customer鈥檚 business. They will also be knowledgeable about the latest technology.
For example, some companies are starting to explore the use of drones. Drones are great for monitoring large areas. Drones can carry anomaly detection software that could trigger an alarm that goes to a SOC. The hazard response team can respond quickly to fix or correct problems.
Beyond regulatory requirements and technology expertise, security providers must also be experts in some areas of law, such as GDPR. In Europe, the General Data Protection Regulation governs data protection and privacy for all individual citizens of the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas. Protection of data privacy is important when you have a global customer.
When used correctly, technology can provide significant cost savings through automation of all manual processes. For example, implementing a system to automatically onboard all employees and contractors into the access control system with access assigned based on their role, eliminates a potentially enormous amount of manual data entry, saving the company money and eliminating the risk of human error. This type of technology-based solution reduces cost, increases an organization鈥檚 compliance with external regulations, and reduces the overall risk in the process.
Having a keen understanding of the business operations, compliance adherence, and how to streamline production without disrupting business is key to successfully helping and securing a petrochemical facility.