• United States



by Sandy Kendall

Are Voluntary Measures Enough?

Aug 11, 20033 mins
CSO and CISOData and Information Security

When your business involves tanks of potentially poisonous stuff, and processes gone amok would be expensive if not lethal, security is a forgone conclusion. Chemical industry security people have long been used to worrying about accidents and the odd case of vandalism, and since Sept. 11, they worry about vandalism on such a scale as to be called terrorism. Last March, a U.S. General Accounting Office report highlighted the vulnerabilities of the industry saying, chemical facilities may be attractive targets for terrorists intent on causing economic harm and loss of life.

Two competing bills were introduced in the Senate this year with the aim of mandating and regulating security at refineries and chemical plants, but neither have progressed much further toward becoming law. The Maritime Transportation Security Act of 2002 does dictate some security measures for chemical plants that are built on navigable waters or have docks under the jurisdiction of the U.S. Coast Guard, and other laws like the Clean Air Act incidentally affect security, but most chemical companies oversee the assessment and execution of their own security practices on a voluntary basis.

To their credit, chemical companies have been working hard at beefing up their security. To read about some of what the industry leaders are doing, see Bonding Time in the August issue of CSO. Besides fine tuning security in their own properties and systems, competing companies are taking the remarkable step of sharing information with each other about their security approaches.

Various industry bodies have developed updated standards for assessing and improving security, including (most notably) the American Chemistry Council (ACC) and The Chemicals Sector Cyber-Security Information Sharing Forum, which comprises 10 other industry associations. But unlike the proposed legislation pending in the Senate, which would fine companies up to $50,000 a day for noncompliance, these industry guidelines hold out no financial repercussions for failing to abide by rigorous industry standards. If a company is one of the ACCs 165 member companies and doesnt comply with the ACCs plan, it risks losing membership. The Synthetic Organic Chemical Manufacturers Association holds its members to the same requirement. But while the American Petroleum Institute and several other trade associations have endorsed the approach, they aren’t requiring members to follow it.

The ACC standards and the incentives of self-protection seem to be yielding progress, but according to the Environmental Protection Agency, voluntary initiatives led by industry associations reach only a portion of the nations 15,000 facilities.

Among the EPA’s worries are the smaller players in the industry, which may be more tempting soft targets than the well-secured Dows and Eastmans of the world. Those companies have a natural self interest in protecting themselves, but they also may not have the money to take all the steps necessary. The urgency of voluntary measures can be markedly muted by an empty wallet. And according to the industry publication Chemical News & Intelligence, Senate Republicans killed an amendment on July 22 that would have provided $80 million to the chemical industry to help it assess its vulnerability to terrorist attacks and its capabilities to respond.

When calamities like suicide truck bombs, rogue computer viruses and chemical process-control mishaps could result in a Bhopal incident in our own or anyone elses backyard, is a volunteer effort enough? Tell us what you think.