2021 Chemical Security Summit Presentations

Yesterday CISA updated the Chemical Security Summit (CSS) web page to provide links to some of the presentations that were made at last month’s virtual summit. The links go to copies of the slides used in the presentations, not videos of the actual presentations, so a lot of detail is missing. And they have not covered all of the presentations that were made. Still, there is a great deal of information here.

The presentation slides available include:

• CFATS Risk-Based Performance Standards (RBPS) Deep Dive and Best Practices

• CFATS Personnel Surety Program Overview and Demonstration

• Cyber-Physical Security Convergence in the Private Sector

• Cyber Threat Hunting: Industrial Control System Security

• How to Conduct a Chemical Security Exercise

• Jack Rabbit III Program Update

• P4 – A Platform for Public-Private Emergency Management Collaboration

• Voluntary Chemical Security Initiatives: CISA ChemLock

Case Study on Recent Disruptions in the Supply of Chlorine: Impacts and Responses

CFATS Program Presentations

The two presentations about the Chemical Facility Anti-Terrorism Standards (CFATS) program are standard fare for the CSS. The Office for Chemical Security provides program updates and helpful suggestions for covered facilities in these presentations. While many of the slides reappear from year to year, these both of the presentations are unique and provide a wealth of information.

If CISA could make the videos available for only two presentations each year, these would be the two that I would recommend; so many details are missing from the slides. Still, chemical facility security managers would do well to download and review these two slide shows.

Cybersecurity Presentations

I reported earlier on the convergence presentation, so I am happy to see the presentation slides being made available.

The cyber threat hunting presentation is slightly misnamed. It looks at the cybersecurity support that CISA provides to the industrial control system community. Still there is lots of interesting information here. I found the timeline on slide 9 particularly interesting. It shows the lexicology history of ICS security support terms starting with the Federal Incident Response Center (FedCIRC) in 2000 through the termination of the ‘US-CERT and ICS-CERT’ brands in 2019. Oddly enough, it does not mention the NCCIC-ICS that currently manages the coordinated disclosures of ICS vulnerabilities for CISA.

CISA Exercises

The chemical security exercise presentation deals with the CISA Tabletop Exercise Package (CTEP) that I have recently discussed as a part of the ChemLock program. The presentation uses the ‘Chemical Sector Complex Coordinated Attack Tabletop Exercise’ to look at how the exercises work.

Jack Rabbit III

The Jack Rabbit III presentation is another repeat presentation. The on-going reporting on the Jack Rabbit chemical release studies is updated in this presentation. The Jack Rabbit studies have already provided important data to update downwind hazard information for chlorine releases. This version of the presentation addresses the recent analysis of monitoring technology and reporting software.

Emergency Management

The P4 presentation is a perfect example of why the slide shows without the presenter comments are more than a little unsatisfying. It describes a new tool developed by the Consortium for Emergency Services

Technology (CEST) to aid communications in large-scale emergency response situations. This looks like an interesting approach to public-private coordination. A quick glance at the slides would give the impression that this is an established methodology, but CEST is relatively new initiative of the Central United States Earthquake Consortium.

ChemLock

I reported on this presentation last month. Again, I am glad to see it included in the published list.

Chlorine Supply Disruption

Some how I overlooked this presentation when looking at the agenda back in December, otherwise I would have tried to arrange my schedule so that I could have watched the live presentation. It discusses disruptions in the chlorine supply chain in 2020 and 2021. I briefly looked at one portion of that issue back in August. This provides a more detailed look at the overall problem. It just goes to show how vulnerable the country could be to a deliberate supply chain attack.

Missing Presentations

The following presentations that were made in the 3-day Summit did not make it to the list of published presentations:

• State of Chemical Security,

• Industry Perspective on the Threat Landscape,

• FBI Chemical Threat Briefing,

• FBI Case Study on Economic Espionage in the Chemical Sector, and

• Probabilistic Analysis for National Threats Hazards and Risks (PANTHR) Overview.

I have no idea why the first two presentations did not make the publication cut. The two FBI were restricted (no press allowed) presentations in the first place so, there is no surprise that the slides were not shared. I was surprised that the DHS S&T PANTHR presentation did not get published. The program web site is extensive, so there should not have been any concerns about sensitive information.