ChemLock Exercises - Chemical Sector IED

NOTE: This is the first in a series of blog posts looking at various CISA Tabletop Exercises Packages (CTEP) offered to chemical facility managers by the new CISA ChemLock program, a voluntary chemical security program run by the Office of Chemical Security (the CFATS folks). It is a follow-up to my earlier Overview post. CTEP administrative documents can be found here. The scenario manuals can be found here.

This post looks at the Chemical Sector IED (docx download link) (BTW: someone needs to talk with CISA about the hazards of links that automatically download MS Office or .PDF documents) scenario. For those of you who have played wargames or D&D, this scenario is going to be a bit of a disappointment. There is no dungeon master script and there are no unit markers with strength points and movement units. More importantly, there are no winners. These scenarios provide a brief generic description of an attack and its aftermath with a series of discussion questions about what should have been done, what should be done, and who had responsibility for the various actions.

The Scenario Document

The basic scenario document downloaded from the Physical Security Scenario page consists of a Word® document that facilities can customize for their situation. It contains three modules:

• Incident and Response,

• Sustained Response, and

• Short-Term Recovery.

Incident and Response Module

The module starts with a reading of the brief scenario. In this case it is the detonation of a package bomb in the receiving area of the facility in the morning of the incident. It includes a brief description of generic damage, casualties and injuries. The modules then provides thirteen discussion questions with amplifying questions. The thirteen major questions are:

• What plans are in place to prevent or deter an attack at your facility?

• How are security and personnel trained?

• Do the organization’s standard operating procedures (SOPs) include incident response roles and responsibilities for staff?

• What assets are onsite to immediately respond to an incident?

• What are your evacuation procedures for an incident of this type?

• What notification methods (e.g., alerts, email, telecommunications, text message, special tools) does your facility use to send alert information?

• What does incident command look like during this phase of the response?

• Does your organization, public or private, have mutual aid agreements in place with other organizations?

• Who is in charge of notifying state or federal agencies of the incident, and at what point in the incident would this occur?

• How would law enforcement conduct the response and address the threat?

• How would the medical response be conducted?

• What information or warnings are being released to the public?

• If your organization or agency had received information of a potential threat prior to the day of the incident taking place, what mitigation procedures would have taken place?

Sustained Response Module

Again, the module begins with a three-paragraph description of post incident activities that are happening at the facility. This module then provides sixteen questions (again with supplementary questions) for the exercise participants to discuss. Those questions include:

• What command structure would be setup for the incident and how would it evolve over the course of the afternoon and evening?

• What communication methods (e.g., alerts, email, telecommunications, text message, and special tools) does your facility and other private sector organizations use to share information?

• What communication methods (e.g., alerts, email, telecommunications, text message, and special tools) do first responders use to share information with other responders?

• What role do city and county governments play in this scenario?

• What are your organization’s information sharing responsibilities at this point in an incident?

• Does your organization have a designated Public Information Officer (PIO)?

• Is a Joint Information Center (JIC) established? If so, as what point in the incident?

• Would mass care facilities, family assistance, or reunification centers be setup?

• What is your agency’s protocol for addressing self-dispatching responders?

• If this were to be declared a terrorist incident, what impact would that have on the response?

• What steps are needed to ensure the area is cleared of threats?

• What is the process to collect evidence that belongs to citizens (cell phone video, cameras, security footage from private businesses, etc.)?

• How can owners / operators and government officials prepare to handle the public messaging / media in the aftermath of such an occurrence?

• How are personal items reunified with their owner if left at the scene?

• What are some of your agency’s best practices for response?

• Following this attack, what additional protective measures will be put into place at your organization or in your community?

Short-Term Recovery Module

As in the first two modules, this one starts with a three-paragraph description of the local community response to the incident over the next several days. Again, it provides seven questions for participants to consider. Those questions are:

• What is the community’s plan to recover?

• Does your organization have a business continuity or rapid recovery plan?

• Given the scenario, what measured would be needed to support your organization’s employees following this incident?

• What resources are available to assist your organization with recovery?

• What are your organization’s interdependencies?

• What types of information are needed to assist in restoration of your organization’s critical infrastructure?

• Are there best practices for recovery that you would like to share?

Excess Questions

The many of the questions provided in this module are conditioned on the presence of participants from outside of the affected facilities. These have been included for large scale tabletop exercises for facilities that could expect the active participation of local government agencies as well as police, fire and medical response personnel. Smaller facilities can not reasonably expect that level of participation, particularly on a regular basis. Those questions that rely on that more expansive participation, should be ignored when that participation is not present. Management may want to raise those questions, though, with the Local Emergency Planning Committee (LEPC).

In my Overview discussion I suggested that facilities should at least initially plan on multiple iterations of these exercises with a large number of participants in subsequent exercises. Again, questions that are not relative to the personnel present should be ignored. But, just because questions have been addressed in earlier exercises, it is important to include them in subsequent exercises as the added participants are going to have a different perspective on the questions.

Missing Questions

I have worked at two different facilities where large-scale damage incidents occurred, one a process explosion in a 500-gallon reaction vessel and the other was a fire of unknown origins that leveled the facility. Neither was the result of a deliberate attack, but there were some immediate response lessons that I learned in those incidents that should be included in this scenario.

I would suggest adding the following questions to Module 1:

• Who is responsible for shutting off utilities in the affected areas of the facilities?

• Are utility shutoffs clearly marked?

• Are utility shutoffs located away from hazardous chemical storage or use areas?

• Who has the authority to order utility shutoffs?

• To whom are shutoff activities reported?

• Is there readily available access to chemical safety data sheets (SDS) away from main buildings and process areas?

• Are there clearly defined chemical process shutdown and emergency process shutdown instructions?

• Who has the responsibility for ordering emergency process shutdowns?

• Are there provisions in the shutdown and emergency shutdown processes for the lack of one or more utilities?

• Who is responsible for initial regulatory agency notifications?

I would suggest adding the following questions to Module 2:

• Is there a plan for dealing with firefighting water runoff?

• If there are weirs on surface water discharge points in the facility, who is responsible for closing them?

• Are their alternative methods for detaining contaminated water on-site?

• Are their contingency plans in place for environmental response support for the facility?

• Who has the authority to exercise those contingency plans?

Finally, I would add the following questions to Module 3:

• Who is responsible for providing information to post incident investigators such as fire marshal, EPA, OSHA, Chemical Safety Board?

• Are there off-site copies of inventory records, SDS and process safety records?

Alternate Use

While these questions were designed to be discussed after a facility has had a chance to develop a site security plan (SSP), an enterprising security manager would do well to look at these questions while developing that SSP. The questions, while not exhaustive, are comprehensive and provide a good look at what the site security plan should include for this particular scenario. They provide an informed look at some of the issues that the plan should be expected to address.