Ed Flynn remembers the days when he could drive unencumbered—comparatively speaking—near an industrial site, or ease through the security checkpoint at the airport.
That all changed in the days, weeks and months after Sept. 11, 2001, as the nation’s security landscape was irrevocably altered.
The Louisiana Chemical Association began receiving calls from the Federal Bureau of Investigation, the U.S. Secret Service, U.S. Marshalls and a host of other law enforcement agencies as they all became acutely aware of vulnerabilities in the nation’s infrastructure.
Until then, site security wasn’t even on LCA’s radar.
“It was a game changer,” says Flynn, the association’s vice president of health, safety and security. “All of a sudden, this failure of imagination became a very real fact of life.”
LCA ultimately forged a Security Committee in the 9/11 aftermath, to be used by the various plant Facility Security Officers (FSOs) as a vehicle for communication, collaboration and relationship building.
Additionally, regulatory programs such as the Chemical Facility Anti-Terrorism Standards gave the Department of Homeland Security clear authority to fine or shut down facilities that do not meet the program’s comprehensive security standards.
‘Malicious, unauthorized activity’
These days, there’s never a lack of things for LCA’s Security Committee to talk about, as there has been a proliferation of threats that couldn’t have been imagined 19 years ago.
The regulation of drone technology is a popular current topic—whether by air, land or water—followed closely by cybersecurity, corporate espionage, and of course, terrorism.
“We continue to see malicious, unauthorized activity in regard to drones,” Flynn says. “From a chemical industry perspective, we’re also concerned about unmanned land-based vehicles and submersibles. You have a lot of sophisticated and vulnerable technologies on the docks and piers of these plants.”
LCA says there have been recent incidents when unauthorized drone flights have been detected near industrial sites along the Mississippi River. “We’ve seen indicators and evidence of foreign governments using drones equipped with high resolution video cameras and other types of photographic evidence at night,” he adds.
When Dow USA detected drones flying within the boundaries of its facilities, it exposed critical regulatory weaknesses for security. Federal laws provide little protection as they stand now, says Scott Whelchel, Dow’s global chief security officer, currently based in Louisiana. “They’re making progress through ‘remote identification’ and other regulatory efforts, but federal regulations remain ineffective and they’re currently unable to identify or detect drone flights. They just don’t have the structure in place.”
Should an Unmanned Aircraft System (UAS) be sighted at Dow’s St. Charles operations, it is immediately reported to Dow’s centralized dispatch, which in turn reports the sighting to the St. Charles Parish Sheriff’s Office.
Unfortunately, local law enforcement can do little, given a lack of clear guidance at the federal level. “And while we might be able to mobilize local law enforcement, there’s not a lot that happens because they’re preempted by federal law. The Federal Aviation Administration’s primary mission is to safely enable things to fly in the air. They don’t want to restrict air travel in any way, shape or form.”
While drone flights are federally restricted over government facilities, airports, sports stadiums and large social events, there are no such restrictions near critical infrastructure such as industrial plants.
“We see a big gap there,” Whelchel says. “All emergencies are local, so we need to enable and empower the local officials to better deal with these situations. The law is currently standing in the way of that.”
While most unauthorized drone flights are due to ignorance of the law or other innocuous reasons, there have been cases resulting in the FBI and Louisiana State Police investigating suspected nefarious actions by nation-state groups intending to gather trade secrets.
“It’s imperative that local, state and federal policy makers figure out how to write legislation and regulations that give law enforcement, at all levels, the ability to stop the activity,” he adds.
Joe Andrepont, who oversees site security at Westlake Chemical in Sulphur, says drones are becoming a real concern. “I think the FAA needs to address that. These drones can home in on a certain area of your plant that’s proprietary and try to capture information.”
Industry’s biggest security challenge is simply staying one step ahead of the technology. “That will always be something that companies have to plan for and be ready to implement,” Andrepont says. “Like everything else, you have to stay on top of current technological trends, as well as budget for it and train accordingly.”
He says cybersecurity and drones both fall under the umbrella of corporate espionage. Of course, there’s a human component as well.
That’s prompted plants to go beyond mere background checks of its employees to actively tracking data as it leaves the system. “People working in the plant might have certain institutional knowledge of operations or manufacturing equipment and have complete access to the things that are most critical,” he adds.
Cybersecurity threats are also a real and present danger, as evidenced in August when Gov. John Bel Edwards declared the state’s first cybersecurity emergency in the wake of a ransomware attack on state government servers.
Fortunately, the state’s two-year-old Cybersecurity Commission was prepared for the moment.
LCA’s Flynn, also a commission member, says the multifaceted commission “bolsters cyber defenses in this state and grows cyber capabilities and procedures, protocols, and perhaps even legislation, to protect government systems and information.”
Other members represent the Louisiana National Guard, Louisiana State Police, Governor’s Office of Homeland Security and Preparedness (GOHSEP) and Louisiana Economic Development, among others.
“If there is information relevant to the private sector, I share that information with our colleagues,” Flynn says.
Communication and collaboration are key
Westlake’s Andrepont says there were some undeniably positive outcomes borne out of the horrible tragedy some 19 years ago. “Today, we have an abundance of measures and regulations in place that make our plants safer, and an amazing collaborative atmosphere between the trade associations, governmental agencies at all levels, other facility security officers and law enforcement.
“It’s at a different level now, and I think we’re in a much better place today than we were before 9/11,” he adds.
Members of LCA’s Security Committee—comprised of the various plant FSOs—meet monthly to have conversations with representatives of the Department of Homeland Security, FBI, local law enforcement and others. They also share information with each other.
“We realize that those conversations and relationships are immensely valuable,” LCA’s Flynn says. “Security from our perspective is very much a shared responsibility. But at the same time, we’re not intelligence agencies. We need robust dynamic, useful relationships with these outside agencies to be effective.
“After all, the time to start reaching out is not when we’ve got a Category 3 storm in the Gulf or there’s been some sort of terror attack, drone attack or cyberattack. The time to establish communications is when things are calm.”
Whelchel says Dow is also being proactive by implementing a more holistic approach to security. He oversees Dow’s 130 manufacturing locations in more than 30 countries. “We’re taking more of an enterprise approach to security and emergency management. We’re incorporating a convergent model that is a complete continuum of physical security and cybersecurity.”
In the process, Dow adapted Sandia National Laboratories’ Risk and Safety Assessment tool to incorporate both cyber and physical risk. Risk and safety assessments are used to determine the consequences from a set of actions and the probability they will occur.
Policy and decision makers rely on these techniques to inform their processes, including when outcomes are uncertain.
“We are tailoring the risks specific to the physical facilities in our manufacturing space,” Whelchel adds. “This is something we were doing in the physical security space already, but now we’re doing it in the cyberspace as well … together.”
As for Westlake Chemicals, it performs frequent drills and exercises both as a plant and with other plants in the area.
The plant also conducts numerous tabletop drills where different scenarios are acted out and conducts large-scale exercises annually and bi-annually. Everything, Andrepont says, is documented in accordance with federal regulations.
“While it’s not a mandate, we do plant drills every week to keep everyone from becoming complacent,” he adds.
Westlake’s guards also undergo an array of impromptu drills and tests, during which they are tested and evaluated.
The guards participate in exhaustive classroom training before they even take their post and are mentored by other guards. “There’s zero tolerance for error, but there’s a great deal of training and ongoing training to get them where they need to be.”
Still, none of it would be possible without inter-plant collaboration. “We get together monthly to share best practices, often in confidence,” Andrepont says. “That’s being a good industrial neighbor and it only makes us stronger.”