Order Code RL33043 CRS Report for Congress Received through the CRS Web Legislative Approaches to Chemical Facility Security August 16, 2005 Dana A. Shea Analyst in Science and Technology Policy Resources, Science, and Industry Division Congressional Research Service ˜ The Library of Congress Legislative Approaches to Chemical Facility Security Summary Federal officials, policy analysts, and homeland security experts express concern about the current state of chemical facility security. Some security experts fear these facilities are at risk of a potentially catastrophic terrorist attack. The Department of Homeland Security identifies chemical facilities as being one of the highest priority critical infrastructure sectors. Currently, chemical facility security efforts include a mixture of local, state, and federal laws, industry trade association requirements, voluntary actions, and federal outreach programs. Many in the public and private sector call for federal legislation to address chemical facility security. Still, disagreement exists over whether legislation is the best approach to securing chemical facilities, and if legislation is deemed necessary, what approaches best meet the security need. Many questions face policymakers. Is the current voluntary approach sufficient or should security measures be required? If the latter, is chemical facility security regulation a federal role, or should such regulation be developed at the state level? To what extent is additional security required at chemical facilities? Should the government provide financial assistance for chemical facility security or should chemical facilities bear security costs? Critical issues surrounding chemical facility security legislation include determining which chemical facilities should be protected by analyzing and prioritizing chemical facility security risks; identifying which chemical facilities pose the most risk; and establishing what activities could enhance facility security to an acceptable level. Mechanisms for assessing security risk might include weighing the known or theoretical terrorist threat faced by a particular facility, the chemical hazards held at a facility, the quantities and location of those chemicals relative to the surrounding population, or the facility’s industrial classification. Some security regulation exists for some chemical facilities under other legislation, such as the Maritime Transportation Security Act (MTSA) (P.L. 107-295), the Safe Drinking Water Act (SDWA), as amended by the Bioterrorism Preparedness Act (P.L. 107-188), and selected state laws. Potential chemical facility security enhancements might be achieved through a range of policy approaches: providing high risk facilities security grants; mandating site vulnerability assessments; compelling vulnerability remediation; establishing federal security standards; or requiring the consideration or use of specific technologies. Proposed legislation in some cases complements existing law and in others overrides it. In the 109th Congress, H.R. 1562, the Chemical Facility Security Act of 2005, and H.R. 2237, the Chemical Security Act of 2005, contain provisions requiring vulnerability assessment and the creation of security plans, though details vary. Other Members have expressed the intention to introduce legislation. This report will discuss current chemical facility security efforts, issues in defining chemical facilities, policy challenges in developing chemical facility security legislation, and the various policy approaches. This report will be updated as circumstances warrant. Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Current Efforts To Secure Chemical Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Voluntary Efforts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 State Efforts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Federal Efforts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Congressional Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Federal Agency Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Policy Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Understanding Chemical Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Defining by Chemical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Defining by Consequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Defining by Industry Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Effects of Thresholds on Chemical Facilities . . . . . . . . . . . . . . . . . . . . . . . 12 Types of Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Number of Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Lead Federal Agency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Extent of Security Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Auditing of Vulnerability Assessments and Security Plans . . . . . . . . . 15 Prescriptive Versus Performance-based Requirements . . . . . . . . . . . . 16 Inherently Safer Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Consequences of Noncompliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Coordinating Regulatory Initiatives With Existing Efforts . . . . . . . . . . . . . 19 MTSA and SDWA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 State and Local Regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Voluntary Efforts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Potential Approaches to Security Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Maintain the Status Quo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Provide Additional Resources Under Existing Law . . . . . . . . . . . . . . . . . . 22 Enhance Existing Law with Additional Authorities . . . . . . . . . . . . . . . . . . 22 Create New Security Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Appendix A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 List of Figures Figure 1. Critical Infrastructure Sector Representation for RMP Facilities at Two Worst Case Scenario Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 List of Tables Table 1. Number of RMP Facilities Reporting at Selected Potential Consequence Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Table 2. NAICS Codes Used to Model Critical Infrastructure Sectors from EPA RMP Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Legislative Approaches to Chemical Facility Security Introduction Federal officials, policy analysts, and homeland security experts express concern about the current state of chemical facility security. Referring to them as “the single greatest danger of a potential terrorist attack in our country today,” some experts fear these facilities are at risk of a potentially catastrophic terrorist attack.1 The Department of Homeland Security (DHS) identifies chemical facilities as being one of the highest priority critical infrastructure sectors.2 Currently, chemical facility security efforts include a mixture of local, state, and federal laws, industry trade association requirements, voluntary actions, and federal outreach programs. DHS has identified this composite as being insufficient in addressing security for the entire chemicals sector. Additionally, various costs and requirements may act as disincentives to stakeholders attempting to create uniform, effective security against terrorist attack. Many in the public and private sector call for federal legislation to address chemical facility security.3 Still, disagreement exists over whether federal legislation is the best approach to securing chemical facilities, and if legislation is deemed necessary, what approaches best meet the security need. Since the population potentially affected by a chemical release generally resides near specific facilities, some experts may argue that chemical facility security concerns should be dealt with by state or local authorities. Other experts claim the potentially catastrophic nature of a terrorist attack and the widespread distribution of chemical facilities make chemical facility security an issue of national concern. Policymakers may decide that chemical facility security is a matter of homeland security and is best addressed at the federal, rather than state level. 1 Oral Testimony of Richard Falkenrath, Visiting Fellow, Brookings Institution, before the Senate Homeland Security and Governmental Affairs Committee on April 27, 2005. 2 Oral Testimony of Colonel Robert B. Stephan, Acting Under Secretary for Information Analysis and Infrastructure Protection, Department of Homeland Security, before the House Homeland Security Committee, Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity, on June 15, 2005. 3 For example, see Letter to Editor from Tom Ridge, Director, Office of Homeland Security and Christine Whitman, Administrator, Environmental Protection Agency, Washington Post, October 6, 2002. Testimony of Stephen E. Flynn, Council on Foreign Relations, before the Senate Homeland Security and Governmental Affairs Committee on April 27, 2005. Testimony of Martin J. Durbin, American Chemistry Council, before the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005. CRS-2 Critical issues surrounding chemical facility security legislation include determining which chemical facilities should be protected, which involves analyzing and prioritizing chemical facility security risks, identifying which chemical facilities pose the most risk, and establishing what activities could enhance facility security to an acceptable level. Because of the widespread use of chemicals in U.S. society, determining which chemical facilities to protect is a challenge. Selection might be based on relative risk, but it is not clear how risk might be determined. Mechanisms for assessing security risk might include weighing the known or theoretical terrorist threat faced by a particular facility, the chemical hazards held at a facility, the quantities of those chemicals, and the location of those chemicals relative to the surrounding population. Security regulation of some chemical facilities is established under certain statutes, including the Maritime Transportation Security Act (MTSA) (P.L. 107-295) and the Safe Drinking Water Act (SDWA), as amended by the Bioterrorism Preparedness Act (P.L. 107-188). Several states have established homeland security statutes and two, Maryland and New York, have enacted state laws specifically addressing chemical facility security. Potential chemical facility security enhancements might be achieved through a range of policy approaches: providing grants to increase security at high risk facilities; mandating site vulnerability assessments; compelling vulnerability remediation; establishing federal security standards; or requiring the consideration or use of specific technologies. Proposed legislation may aim to complement existing law or to override it. In the 109th Congress, legislation has been introduced to address concerns regarding chemical facility security. Both H.R. 1562, the Chemical Facility Security Act of 2005, and H.R. 2237, the Chemical Security Act of 2005, contain provisions requiring vulnerability assessment and the creation of security plans, though details vary. Other Members of Congress have expressed the intention to introduce legislation on chemical facility security requirements. This report will discuss current chemical facility security efforts, considerations in defining chemical facilities, policy challenges in developing chemical facility security legislation, and the selected policy approaches. For information on the risks of terrorism at chemical facilities, previously established federal safety requirements, general policy issues, and an overview of legislative initiatives in prior Congresses, see CRS Report RL31530 Chemical Facility Security by Linda-Jo Schierow. Current Efforts To Secure Chemical Facilities Many organizations are undertaking efforts to secure chemical facilities. Some efforts are voluntary in nature, involving security best practices, or semi-voluntary, such as requirements for membership in trade associations. Other efforts arise from state or local chemical facility security legislation. Finally, federal security legislation affecting some chemical facilities was enacted in previous Congresses. Federal agency outreach activities continue. CRS-3 Voluntary Efforts Industry trade associations have developed and publicized security best practices for their member companies.4 These practices vary, but many recommend or require vulnerability assessments of chemical facilities, generation of security plans to address the largest vulnerabilities, implementation of these security plans, and, in some cases, external auditing of these security plans or their implementation. One of the most often discussed trade association security requirements is the American Chemistry Council’s (ACC) Responsible Care program.5 The DHS officially recognizes the Responsible Care Security Code as an Alternative Security Program for the purposes of compliance with MTSA.6 The ACC companies comprise almost 90% of basic industrial chemical production, although their members are only a small fraction of the total number of chemical manufacturers. While many other chemical manufacturers and distributors participate in other trade associations, the DHS testified that approximately 20% of the chemical facilities that DHS identifies as high risk do not participate in any voluntary security program.7 Some argue that a voluntary security program is insufficient to meet the risk of a significant terrorist attack. One security expert testified that ... it is a fallacy to think that profit-maximizing corporations engaged in a trade as inherently dangerous as the manufacture and shipment of TIH [Toxic Inhalation Hazard] chemicals will ever voluntarily provide a level of security that is appropriate given the larger external risk to society as a whole.8 4 For example, see the American Chemistry Council [http://www.americanchemistry.com/], the Synthetic Organic Chemical Manufacturers Association [http://www.socma.com], the National Petrochemical and Refiners Association [http://www.npra.org/], and the American Petroleum Institute [http://www.api.org]. 5 For more information on the American Chemistry Council’s Responsible Care program, see online at [http://www.responsiblecaretoolkit.com/index.asp]. 6 Testimony of Rear Admiral Craig E. Bone, U.S. Coast Guard, before the Senate Homeland Security and Governmental Affairs Committee on July 27, 2005. See also testimony of Martin J. Durbin, American Chemistry Council, before the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005. 7 Testimony of Colonel Robert B. Stephan, Acting Under Secretary for Information Analysis and Infrastructure Protection, Department of Homeland Security, before the House Homeland Security Committee, Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity, on June 15, 2005. 8 Testimony of Richard Falkenrath, Visiting Fellow, Brookings Institution, before the Senate Homeland Security and Governmental Affairs Committee on April 27, 2005. CRS-4 Others challenge the voluntary security plans as vague, inappropriately focused on physical security, and difficult to verify.9 Some analysts likewise believe that current security at chemical facilities would not stop a determined, armed attacker.10 Supporters of voluntary efforts cite the large investment made in site security since 2001 and other efforts to reduce risk as signs of their effectiveness. The ACC, for example, notes that its member companies invested over $2 billion in security enhancements since 2001.11 Additionally, some facilities voluntarily switched chemicals, changed manufacturing processes, or reduced the amount of chemicals onsite.12 As one industry trade association representative testified, “Our efforts show that industry does not need to be prodded by government mandates to take aggressive and effective steps to secure its facilities.”13 State Efforts Several states have safety or environmental laws applying to chemical facilities, but only two, Maryland and New York, have enacted security laws that specifically target chemical facilities. Under Maryland’s Hazardous Material Security Act, facilities that are required to file Environmental Protection Agency (EPA) risk management plans (RMPs) must perform vulnerability assessments and implement plans to address those vulnerabilities. The Hazardous Material Security Act excludes agricultural fertilizer retailers from this requirement. The facilities must report to the Maryland Department of the Environment and the Maryland State Police.14 Under New York’s Anti-Terrorism Preparedness Act of 2004, the New York Office of Homeland Security is charged with reviewing the vulnerability of chemical plants, following which it can recommend security improvements at particular plants. The Anti-Terrorism Preparedness Act of 2004 also allows the state Office of Homeland Security, in consultation with stakeholders, to identify chemical facilities covered by the law. It excludes facilities holding fuel for retail sale and facilities that 9 Testimony of Carol Andress, Environmental Defense, before the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005. 10 See, for example, testimony of Sal DePasquale, Independent Consultant, before the House Homeland Security Committee, Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity, on June 15, 2005. 11 Testimony of Martin J. Durbin, American Chemistry Council, before the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005. 12 For representative examples, see Environmental Defense, Eliminating Hometown Hazards: Cutting Chemical Risks at Wastewater Treatment Facilities, December 2003. 13 Testimony by Steven P. Bandy, Marathon Ashland Petroleum, on Behalf of the National Petrochemical and Refiners Association and the American Petroleum Institute, before the House Committee on Homeland Security, Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity, on June 15, 2005. 14 Maryland House Bill 493, Hazardous Material Security, was signed into law on May 26, 2004. CRS-5 are water suppliers. The Department of Environmental Conservation enforces the law.15 Policymakers who believe that states are better suited to assess local threats and vulnerabilities may prefer chemical facility security measures to be developed locally. A potential concern of industry about such state laws is that a patchwork of regulations could develop, with different standards applying to facilities located in different states. Consequently, facilities in some states might be more secure than in others or a facility’s out-of-state competitors might face very different security costs. Policymakers who believe such an approach does not provide sufficient security to the population at large or places an uneven burden on industry may prefer a national standard. Also, some chemical facilities located near state borders may pose risks across state lines, supporting efforts for a national standard. Federal Efforts Congress has passed many environmental and safety statutes which may provide ancillary security benefits. Congress has also enacted legislation providing security requirements for some specific types of chemical facilities, but these requirements vary among different statutes. Also, the federal government, through the Department of Homeland Security and other agencies, engages the private sector through a public/private partnership, raising the profile of chemical facility security, and providing first responders with federal funding to secure critical infrastructure, including chemical facilities. Congressional Actions. The 107th Congress enacted the Maritime Transportation Security Act of 2002 (MTSA) (P.L. 107-295). The MTSA assigned the Coast Guard the responsibility of securing U.S. ports. Ports and facilities located within ports must perform vulnerability assessments and develop security plans. Ports are often the location of chemical facilities, such as petroleum refineries. According to the Coast Guard, 238 chemical facilities must comply with MTSA.16 For more information, see CRS Report RL31733 Port and Maritime Security: Background and Issues for Congress by John F. Frittelli. The 107th Congress also enacted the Public Health Security and Bioterrorism Preparedness and Response Act (P.L. 107-188). This legislation amended the Safe Drinking Water Act (SDWA) to require community water systems serving more than 3,300 people to perform site vulnerability assessments and develop emergency response plans. Plans for addressing known vulnerabilities were not required. The vulnerability assessments must be submitted to the EPA. Community water facilities receive some federal funding to aid in assessing and addressing critical vulnerabilities. Drinking water systems storing large quantities of chemicals may be considered chemical facilities and, if those facilities serve a sufficient population, 15 New York Senate Bill 7685, The Anti-Terrorism Preparedness Act of 2004 was signed into law on July 23, 2004. 16 Testimony of John B. Stephenson, United States Government Accountability Office, before the Senate Committee on Homeland Security and Governmental Affairs on April 27, 2005. CRS-6 would fall under SDWA.17 For more information on EPA implementation of water security, see CRS Report RL31294 Safeguarding the Nation’s Drinking Water: EPA and Congressional Actions by Mary Tiemann. Federal regulations governing environmental releases, public health, and worker safety have been developed and applied to chemical facilities. Some activities undertaken to meet these regulatory obligations may have an auxiliary security benefit, either by lowering the consequences of a chemical release or through reduction of a particular vulnerability. Also, federal security regulations exist for some specific chemical, or chemical-related, facilities. In general, these security regulations were developed to protect facilities against criminal activities, such as vandalism or theft, rather than terrorist attack. Examples of such security regulations include the protection of liquified natural gas storage facilities (49 CFR 193), hazardous liquids pipeline pumping stations (49 CFR 195.436), and storage sites for hazardous materials shippers (49 CFR 172.800). Federal Agency Action. Under the above statutes, the EPA and DHS engage in increasing chemical facility security. Facility owners and operators can assess site security using vulnerability assessment tools developed by each agency. EPA, in conjunction with Sandia National Laboratories and the Awwa Research Foundation, developed Risk Assessment Methodology for Water Utilities (RAM-W), a risk assessment methodology for water systems.18 DHS, through the American Society of Mechanical Engineers (ASME), developed an assessment tool called Risk Assessment and Management for Critical Asset Protection (RAMCAP), which is currently being employed in the chemical industry under a pilot program.19 The DHS, as the lead federal agency for the chemicals sector under Homeland Security Presidential Directive 7, visits selected chemical facilities. To prioritize outreach to the chemicals sector, DHS has divided, using DHS-determined metrics, the universe of RMP facilities into four tiers. Only 272 facilities occupy the top two tiers. Either the U.S. Coast Guard or the Information Awareness and Infrastructure Protection Directorate has visited each of these top tier facilities.20 In addition, DHS employees conduct site assessment visits in conjunction with local law enforcement. 17 For example, the EPA RMP*INFO database, May 2005 version, lists 1,747 facilities identified by NAICS code 22131, Water Supply and Irrigation Systems. 18 For more information on RAM-W and EPA water security, see online at [http://cfpub.epa.gov/safewater/watersecurity/index.cfm]. 19 Other vulnerability and risk assessment methodologies for chemical facilities have been developed. For example, the Risk Assessment Methodology for Chemical Facilities (RAMCF) was developed by the EPA, the Department of Justice, and Sandia National Laboratories. 20 The Information Analysis and Infrastructure Protection Directorate is identified by Secretary Chertoff as a DHS component to be divided and reconstituted, with infrastructure protection moving to the new Preparedness Directorate. Testimony of DHS Secretary Michael Chertoff before the Senate Homeland Security and Governmental Affairs Committee on July 14, 2005. CRS-7 These “inside-the-fence” vulnerability assessments have been performed at 38 of the highest consequence facilities. DHS plans to visit 50 more in FY2006.21 The DHS also maintains the Buffer Zone Protection Program, which provides targeted funding through states to local jurisdictions in order to enhance security surrounding critical infrastructure facilities. This program is not specific to chemical facilities, but instead is designed to increase the level of general critical infrastructure security. As of April 2005, state Homeland Security Advisors submitted to DHS 113 buffer zone protection plans developed for chemical facilities.22 The Chemical Sector Coordinating Council (CSCC), formed in May 2004, is a point of contact for DHS to communicate across the chemicals sector. The CSCC is comprised of 16 chemical associations.23 DHS is working with the CSCC in developing a Chemical Sector-Specific Plan, to be completed by November 2005, as part of the National Infrastructure Protection Plan. DHS is also currently piloting the Homeland Security Information Network - Chemical, an information sharing mechanism, through the CSCC.24 This activity occurs in addition to the previously established Information Sharing and Analysis Center established through the American Chemistry Council.25 Policy Issues Policymakers may decide to develop legislation with new authorities that would require additional chemical facility security. Key policy issues that may arise during the consideration of such legislation include the adequate coverage of the chemical facility universe; the federal agency overseeing any new requirements; the extent of 21 Testimony of Colonel Robert B. Stephan, Acting Under Secretary for Information Analysis and Infrastructure Protection, Department of Homeland Security, before the Senate Homeland Security and Governmental Affairs Committee on June 15, 2005. 22 Department of Homeland Security, Protecting America's Critical Infrastructure -Chemical Security: A Fact Sheet, April 30, 2005. 23 Chemical Sector Council members include the American Chemistry Council, the American Forest and Paper Association, the Chemical Producers and Distributors Association, the Chlorine Chemistry Council, the Compressed Gas Association, CropLife America, the Institute of Makers of Explosives, the International Institute of Ammonia Refrigeration, the National Association of Chemical Distributors, the National Paint and Coatings Association, the National Petrochemical and Refiners Association, the Synthetic Organic Chemical Manufacturers Association, the Adhesive and Sealant Council, the Chlorine Institute, the Fertilizer Institute, and the Society of the Plastics Industry, Inc. Testimony by John B. Stephenson, Government Accountability Office, before the Senate Committee on Homeland Security and Governmental Affairs, on April 27, 2005. 24 Testimony of Colonel Robert B. Stephan, Acting Under Secretary for Information Analysis and Infrastructure Protection, Department of Homeland Security, before the Senate Homeland Security and Governmental Affairs Committee on June 15, 2005. 25 Testimony of Martin J. Durbin, American Chemistry Council, before the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005. CRS-8 new security measures required, such as requiring increases in physical security or reducing chemical hazards through alternative approaches; treatment of existing federal and state laws; and recognition of preexisting industry security efforts. Understanding Chemical Facilities Establishing a definition of the phrase chemical facility is a key component of potential legislation. As the DHS acting Under Secretary for Information Analysis and Infrastructure Protection testified, ... the very first thing we’re going to have to do is come to an adequate, agreedupon definition of what the chemical sector actually is, because without that, we will be going all over the place.26 Some people include only facilities involved in chemical manufacture and distribution. Others include any site containing chemicals. The narrowness or breadth of this definition will likely influence the practicability of security regulations and determine the degree of security risk reduction. This section discusses three possible mechanisms for selecting chemical facilities for security regulation, based on a list of chemicals, the potential consequences of a terrorist attack, or an industrial classification. Considering the breadth of U.S. chemical sites that could be attractive targets for terrorists, it is likely that a comprehensive definition will require a combination of approaches. Defining by Chemical. Environmental and safety legislation often list, or direct an agency to list, chemicals for regulation, and then to regulate those facilities that contain them, usually at levels above certain threshold quantities. Examples of such legislation include the Emergency Planning and Community Right to Know Act (EPCRA), passed as part of the Superfund Amendments and Reauthorization Act (P.L. 99-499), and the Clean Air Act Amendments of 1990 (P.L. 101-549), which established both the Environmental Protection Agency (EPA) risk management program and the Occupational Safety and Health Administration (OSHA) process safety management program. One challenge in using this approach may be determining which chemicals to include when considering chemical facility security. Existing federal chemical lists are generally developed for other reasons, and therefore may not be appropriate for security purposes. For example, the Department of Transportation list for regulation of transport of hazardous materials contains several thousand chemicals, not all of which are a security risk.27 The OSHA process safety standard applies to a group of highly hazardous chemicals selected because of their potential hazard to workers.28 26 Oral Testimony of Colonel Robert B. Stephan, Acting Under Secretary for Information Analysis and Infrastructure Protection, Department of Homeland Security, before the Senate Homeland Security and Governmental Affairs Committee on June 15, 2005. 27 See 49 CFR 172.101. 28 See 49 CFR 1910.119 Appendix A. CRS-9 The EPCRA lists several hundred chemicals in order to ensure the safety of first responders in the event of a chemical accident.29 The Clean Air Act, Section 112(r), requires a risk management plan (RMP) for facilities possessing more than threshold quantities of any of 140 chemicals.30 These chemicals are included because of their potential for acute, offsite consequences to human health or the environment in the event of a sudden, large, accidental release. The risk management program requires these facilities to estimate the population that might be affected under a worst-case scenario release, calculating the population that resides within a circle surrounding the facility, with the radius of the circle determined by the distance the worst-case scenario release might travel.31 While these estimates are not intended to model a potential terrorist release, the potentially affected population in a worst-case scenario is often cited in discussing chemical facility security risks. Such hazardous chemical lists generally identify chemicals based on an inherent hazard, such as toxicity or flammability. One potential drawback to defining facilities by referring to these lists is that they exclude potentially hazardous chemicals for reasons other than risk. For example, the RMP list, often referred to in discussions of chemical facility security, does not include explosives.32 It also exempts material already regulated under 49 CFR 192, 193, and 195, such as liquified natural gas, which is covered by other safety regulations.33 The list of RMP facilities was further reduced by statute to exclude facilities where flammables are stored on site as fuel or for retail distribution as fuel.34 Congress may or may not want to include such exempted materials when considering chemicals in a terrorism context. Of course, any of the above lists, or any other chemical list, might be edited to meet the security need. To better focus federal resources, a much shorter list of chemicals might be desirable. Alternatively, an appropriate federal agency might develop a new chemical list specifically for security purposes, avoiding a focus on previous lists. One safety expert testified that 29 See 40 CFR Part 68. 30 The list of 140 chemicals, 77 toxic chemicals and 63 flammable chemicals, and their threshold quantities are found at 40 CFR 68.130. 31 The criteria and guidelines for determining the worst-case scenario release are found at 40 CFR 68.25. The criteria for determining the distance a worst-case scenario release might travel are found at 40 CFR 68.22. 32 63 Fed. Reg. 640-645, January 6, 1998. 33 40 CFR 68.3 34 The latter category was exempted through the passage of P.L. 106-40, the Chemical Safety Information, Site Security and Fuels Regulatory Relief Act of 1999. CRS-10 I would not want [the Department of] Homeland Security to think that somehow it can pull out of another agency the named list of chemicals and talk to the industry and say these are the only ones we’re going to worry about.35 Policymakers might require a federal agency, such as EPA or DHS, to develop and maintain such a list. If Congress wants chemical facility security efforts to address particular chemical threats, it might list specific chemicals in statute, while allowing the federal agency to modify the list.36 Defining by Consequence. Another potential criterion for determining which chemical facilities to address is the likelihood and severity of adverse consequences in the case of a terrorist attack. Such consequences might include possibility or probability of injury, loss of life, financial harm, environmental damage, or loss of critical chemical production. Experts disagree on how best to determine the likelihood and severity of these consequences, their relative importance, and whether these different consequences lend themselves to comparison, should be considered independently, or can be appropriately ranked. Because federal resources are limited, prioritizing of chemical facilities by risk may be an effective approach to maximizing the benefits from security spending. DHS Secretary Chertoff, implying such an approach, stated, “When you start to think about your priorities, you're going to think about making sure you don’t have a catastrophic thing first.”37 A risk-prioritization approach may allow the development of thresholds defining risk characteristics for chemical facilities, and thereby determine which chemical facilities should receive federal resources or require federal attention. The magnitude of the threshold used would likely determine several characteristics of the chemical facility universe, including the inclusion or exclusion of different types of chemical facilities, the regional distribution of facilities, the degree of potential increased security, and the program cost. An additional factor in defining by consequence involves the type of data that might be used to determine a risk threshold. What metric is most appropriate and how should it be determined? For example, in considering human casualties, should one consider a worst-case scenario or a more probable release? The degree of complexity and accuracy required to model these scenarios might be an area of contention. For example, DHS uses a different methodology to determine potentially affected people following a terrorism-related chemical release than EPA uses when assessing potential risks from accidental releases. The potentially affected residential population in the EPA RMP program’s worst-case scenario is often cited in the debate about chemical facility security. The 35 Testimony of Gerald Poje, Former Board Member, U.S. Chemical Safety and Hazard Investigation Board, before the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005. 36 Such an approach was taken with the risk management program. EPA was authorized to develop and maintain a list of chemicals and directed to include specific ones. 37 As quoted in Lara Jakes Jordan, “Chertoff: States Foot Transit Safety Bill,” Associated Press, July 15, 2005. CRS-11 predictions were known to be very conservative and were intended to be used for planning purposes by emergency response organizations and government agencies. Some analysts assert that these RMP figures are a viable starting point for prioritizing chemical facility risk.38 Other analysts assert that RMP figures overestimate the actual number of casualties. For example, DHS modeling of one specific facility showed that the number of persons potentially affected was much lower than projected from regulatory calculations.39 Still others contend that the RMP figures may underestimate the casualties from a terrorist attack, as the scenarios are modeled on a release from a single chemical process. Since many chemical processes may be located in a chemical facility, it is possible that a greater amount of chemical might be released during an intentional attack than during an accidental release.40 Determining the extent of likely casualties from a release might require extensive modeling of facility location, meteorological information, surrounding population distribution, and other factors, which may prove to be prohibitively difficult for a large number of chemical facilities. Defining by Industry Classification. Another approach towards defining chemical facilities might be by industrial classification. Such an approach appears to align with The National Strategy for Physical Protection of Critical Infrastructure and Key Assets and Homeland Security Presidential Directive 7 (HSPD-7), where critical infrastructure is subdivided into specific infrastructure sectors and federal agencies are assigned lead roles for each sector.41 Critical infrastructure sectors may be composed of similar industries or of industries with common elements. For example, HSPD-7 identifies an “energy” sector and a “chemical and hazardous materials” sector. The latter sector is defined to include chemical manufacturers and processors. The range of facilities that policymakers may wish to include in chemical facility legislation may not align cleanly, however, with either a particular industrial classification or with a single critical infrastructure sector. The Department of Labor uses the North American Industrial Classification System (NAICS) to classify employment and economic data by industry.42 NAICS 38 Oral Testimony of Carol Andress, Economic Development Specialist, Environmental Defense, before the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005. 39 Testimony of Colonel Robert B. Stephan, Acting Under Secretary for Information Analysis and Infrastructure Protection, Department of Homeland Security, before the Senate Homeland Security and Governmental Affairs Committee on June 15, 2005. 40 Oral Testimony of Glenn Erwin, United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union, before the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005. 41 Executive Office of the President, The White House, The National Strategy for Physical Protection of Critical Infrastructure and Key Assets, February 2003. Executive Office of the President, The White House, Critical Infrastructure Identification, Prioritization, and Protection, Homeland Security Presidential Directive 7, December 17, 2003. 42 For more information about NAICS codes, see online at (continued...) CRS-12 codes are hierarchical; codes containing more digits are subsets of codes containing fewer digits. For example, NAICS code 3251 (Basic Chemical Manufacturing) is a subset of NAICS code 325 (Chemical Manufacturing). NAICS codes are often selfassigned, in that a facility determines which NAICS code appropriately defines its business activity. Therefore, an approach relying on these codes might be susceptible to error due to incorrect self-assignment. On the other hand, federal agencies use such industry classification schemes to assess economic activity across industry groups, indicating that this self-classification scheme may be acceptable. Defining chemical facilities according to industry classification might lead to the “one size fits all” approach to chemical facility security criticized by various industry groups.43 Such an approach may require facilities that are not a security risk to increase their security solely because of their industry classification, rather than their actual risk. Such security efforts might not reduce the national risk and might be viewed as counterproductive, potentially impairing economic efficiency without an increase in security. Moreover, due to fiscal constraints, smaller facilities might be unable to meet requirements designed for larger facilities, potentially damaging a company’s ability to operate.44, 45 Effects of Thresholds on Chemical Facilities The relative representation of the different chemical-using industries will depend on the choice of legislative definition. Some security experts argue that any chemical facility that could endanger the surrounding residential population should be considered under chemical facility security legislation.46 Others advocate a tiering system based on a consequence metric. Depending on the legislative definition, different infrastructure sectors will be included as chemical facilities. The types of infrastructure sectors included as chemical facilities might be reduced by using a consequence threshold, as this would further refine the number of affected facilities. This section will use the EPA RMP 42 (...continued) [http://www.census.gov/epcd/www/naics.html]. 43 Testimony of Matthew Barmasse, on behalf of the Synthetic Organic Chemical Manufacturers Association, before the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005. See also testimony of Allen Summers, on behalf of the Fertilizer Institute, before the House Homeland Security Committee, Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity, on June 15, 2005. 44 Oral Testimony of Bob Slaughter, National Petrochemical and Refiners Association, before the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005. 45 Testimony of Matthew Barmasse, on behalf of the Synthetic Organic Chemical Manufacturers Association, before the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005. 46 Oral Testimony of Beth Turner, Director, Global Operations Security, E.I. duPont de Nemours and Company, Inc., before the Senate Homeland Security and Governmental Affairs Committee on July 27, 2005. CRS-13 data as a case study to discuss the types of infrastructure sectors found in the RMP program and to illustrate the impacts of applying a consequence threshold. Types of Facilities. A potential difficulty of focusing on a particular industry sector, or of using industrial classification to define chemical facilities, derives from the diverse impacts that particular industries have on security. That is, depending on the magnitude of the consequence, different industrial classifications account for the major portion of the chemical facility risk universe. In Figure 1, CRS grouped NAICS industry codes into critical infrastructure sectors used in HSPD-7. (See Appendix A for a description of how critical infrastructure sectors were constructed from NAICS codes.) As Figure 1 shows, lowering the consequence threshold greatly expands the number of facilities and the relative shares of the water and the food and agriculture sectors. Figure 1. Critical Infrastructure Sector Representation for RMP Facilities at Two Worst Case Scenario Thresholds Source: CRS analysis of the EPA RMP*National Database (with off-site consequence analysis (OCA) data), updated May 2005. Note: It is unlikely that the entire population would be affected by any single chemical release, even if it is a result of a worst-case accident. In the event of an actual catastrophic chemical release, meteorologic and other effects will determine the direction of the release, and which of the potential at risk population might be affected. In addition, worst-case scenarios do not take into account emergency response measures that might be taken by operators of the facilities or others to mitigate harm. A sector-specific approach will leave some security risks unaddressed. Even at higher thresholds, significant portions of the chemical facility universe may not be addressed by sector-specific legislation. On the other hand, as the threshold for inclusion in a chemical facility security framework is lowered, additional critical infrastructure sectors grow in relative representation, as is seen by the food and agriculture sectors in Figure 1. Because of the increased representation of these industry sectors, chemical facility security regulations will likely need to be more flexible to account for different operating environments and business needs. CRS-14 Number of Facilities. As the consequence threshold is lowered, chemical facility security regulation would apply to more facilities. The number of facilities likely increases non-linearly as the threshold decreases. Table 1 illustrates this effect by presenting the number of RMP facilities included at selected potential consequence thresholds. Table 1. Number of RMP Facilities Reporting at Selected Potential Consequence Thresholds Threshold Population Potentially Affected by a Worst-case Release Number of Facilities Reporting at or above Threshold 1,000,000 111 100,000 604 10,000 2,811 1,000 7,711 100 11,587 Source: CRS analysis of the EPA RMP*National Database (with off-site consequence analysis (OCA) data), updated May 2005. Note: It is unlikely that the entire population would be affected by any single chemical release, even if it is a result of a worst-case accident. In the event of an actual catastrophic chemical release, meteorologic and other effects will determine the direction of the release, and which of the potential at risk population might be affected. In addition, worst-case scenarios do not take into account emergency response measures that might be taken by operators of the facilities or others to mitigate harm. Chemical facility security legislation that incorporates a low threshold may affect additional smaller facilities not generally considered as chemical facilities, such as agricultural retailers or small water treatment systems. Whether these industries are the intended targets of any chemical facility security regulation is a topic facing policymakers. The large contribution of the water sector to the RMP chemical facility universe also raises the question of whether existing security efforts taken under the SDWA are sufficient to secure this sector. For example, from Figure 1, the water sector (consisting of both drinking water treatment and wastewater treatment facilities) is 18% of all facilities under the 100,000 affected threshold, but comprises 34% of facilities under the 10,000 affected threshold. Wastewater treatment facilities, which comprise roughly half of the water sector at both thresholds used in Figure 1, are not addressed under the SDWA. Should policymakers accept that drinking water facilities are adequately secured through prior legislation, it still would leave many water sector contributors to the RMP chemical facility universe. However, including all chemical facilities equally in a security program may create an unmanageable burden on low-risk chemical facilities. High risk chemical facilities are likely larger, possessing a greater ability to meet security requirements. Smaller chemical facilities required to match the security measures put in place by larger chemical facilities may not be able to do so because of fiscal limitations. CRS-15 Lead Federal Agency Which federal agency should possess chemical facility security oversight responsibilities is a topic of debate. Some analysts assert that the EPA possesses a historic relationship with both the chemical industry and specific chemical facilities. They claim that the EPA is knowledgeable about chemical facility operation and security, that the EPA would be well positioned to understand the potential impacts of security regulation, and that the EPA would be likely to create effective regulation. This coupling of safety and security was supported by the U.S. Coast Guard, which testified that security auditing under MTSA often occurred while the U.S. Coast Guard was present at the chemical facility for safety reasons.47 Other analysts claim that the EPA is unlikely to be the correct oversight body for chemical facility security. They cite the potentially contentious relationship that the EPA, which already oversees safety and facility emissions, might develop with the chemical industry. They assert that regulation of security may need to be met through a collaborative process between the oversight agency and the facilities, so it should be divorced from environmental regulation . The DHS is the other federal agency most often cited as appropriate for overseeing chemical facility security. Advocates claim that a good working relationship already exists between DHS and industry and that DHS’s expertise in security is a dominant factor. Opponents of this view argue that security measures, absent environmental protection and safety considerations, may generate adverse side effects. For example, while burying storage tanks underground might increase the security of these tanks, such an approach might pose an environmental risk from potential tank leakage. Consequently, some analysts suggest an approach combining the skills of both DHS and EPA in overseeing chemical facility security. Extent of Security Measures If legislation requires chemical facilities to implement new security measures, the extent of these measures may also be an issue of contention. Consensus is lacking regarding whether there should be auditing of vulnerability assessments, federal inspection of security measures, and required consideration of alternative approaches, such as inherently safer technologies. Auditing of Vulnerability Assessments and Security Plans. Existing federal law governing some chemical facilities have taken diverse approaches to vulnerability assessments for chemical facilities. The Maritime Transportation Security Act (MTSA) requires both the development of site vulnerability assessments and the remediation of those vulnerabilities identified. The Safe Drinking Water Act (SDWA), as amended, requires drinking water facilities to develop site vulnerability assessments and emergency response plans, but not remediation of vulnerabilities. Under both laws, the appropriate federal regulatory agency receives the site vulnerability assessments. Under the MTSA, the DHS has the authority to inspect port facilities, assess their security plans and actions, and determine whether the 47 Oral Testimony of Rear Admiral Craig E. Bone, U.S. Coast Guard, before the Senate Homeland Security and Governmental Affairs Committee on July 27, 2005. CRS-16 facilities meet DHS security standards. The EPA was not granted similar authorities under SDWA. Policymakers might decide to require that site vulnerability assessments be performed for all chemical facilities and supplied to the federal government or others. Verification and validation of voluntary security plans is a topic of continuing concern by advocacy groups, so policymakers might provide the federal oversight agency the authority to inspect and assess compliance with vulnerability assessment and any remediation requirements. However, in contrast to the 238 chemical facilities covered by MTSA, a broad legislative definition of chemical facilities could include thousands of facilities. The logistical burden to a federal agency of inspecting these facilities on a recurring basis then could be quite high. Current agency staffing may be insufficient to meet this requirement. Consequently, requiring federal auditing and validation of chemical facility security may be difficult to implement in a timely manner. Auditing responsibilities could be delegated to state or local officials to reduce the burden placed on federal agencies. Alternatively, Congress could authorize agencies to license third-party auditors and accept compliance reports they might submit on behalf of chemical facilities. Fees from such a program could offset auditing costs. If such auditing were done by third parties or was enforced by a different mechanism, such as holding facility owners or operators liable for security measures at the chemical facilities, costs might be somewhat reduced. Some experts suggest requiring owner or operator certification of security measure compliance, with associated criminal liabilities for noncompliance.48 Such an approach, coupled with inspections, might provide incentives to businesses to maintain high security standards. Prescriptive Versus Performance-based Requirements. The basis for chemical facility security requirements is another area of contention. Chemical trade associations and others have testified that chemical facility security requirements should be risk-based and provide clear guidelines regarding federal expectations.49 Also, they have requested federal assistance and access to federal records, for background checks and other purposes, as part of meeting security standards.50 48 Testimony of Richard Falkenrath, Visiting Fellow, Brookings Institution, before the Senate Homeland Security and Governmental Affairs Committee on April 27, 2005. 49 See, for example, Testimony of Martin J. Durbin, American Chemistry Council, before the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005; Testimony of Matthew Barmasse, on behalf of the Synthetic Organic Chemical Manufacturers Association, before the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005; and Testimony of Richard Falkenrath, Visiting Fellow, Brookings Institution, before the Senate Homeland Security and Governmental Affairs Committee on April 27, 2005. 50 Bob Slaughter, National Petrochemical and Refiners Association, before the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005. CRS-17 DHS Secretary Chertoff has emphasized the need for risk-based prioritization in homeland security activities.51 The DHS testified that the federal government, in approaching chemical facility security, should adhere to three core principles: ! ! ! Chemical facilities present different levels of risk, and the most scrutiny should be focused on those that have the greatest consequences Chemical facility security should be based on reasonable, clear, and equitable performance standards, developed by the DHS. Chemical facilities should be able to select among appropriate site specific security measures. Chemical facility security efforts should recognize voluntary industry efforts.52 Some analysts argue for strong performance standards, requiring chemical facilities to be able to repel armed assault, as required of the nuclear power industry.53 Others have cited the U.S. Coast Guard’s implementation of the MTSA as a good model for performance-based requirements. Existing security regulation for some chemical storage facilities, such as liquified natural gas, is prescriptive in nature. Federal regulation governs security procedures, protective enclosures, communications, monitoring, lighting, power sources, and warning signs.54 Some experts assert that such prescriptive regulations lead to outdated security standards should threats or vulnerabilities change. Policymakers may consider whether security requirements should be prescriptive or performance-based, and whether any such requirements should be placed directly in legislation, or whether the implementing agency should be provided the discretion to determine security requirements. Inherently Safer Technologies. The application of inherently safer technology to increase chemical facility security is also a subject of debate. The concept of inherently safer technology involves altering a chemical process by substituting less hazardous materials, minimizing the amount of hazardous material on hand, altering the process conditions, or designing operation so that it is more 51 See for example, DHS Secretary Chertoff, Remarks at Homeland Security Policy Institute, George Washington University on March 16, 2005. 52 Testimony of Colonel Robert B. Stephan, Acting Under Secretary for Information Analysis and Infrastructure Protection, Department of Homeland Security, before the House Homeland Security Committee, Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity, on June 15, 2005. 53 Testimony of Sal DePasquale, Independent Consultant, before the House Homeland Security Committee, Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity, on June 15, 2005. 54 49 CFR 193, Liquefied Natural Gas Facilities: Federal Safety Standards (Subpart J-Security). For more information regarding liquefied natural gas security issues, see CRS Report RL32073 Liquefied Natural Gas (LNG) Infrastructure Security: Issues for Congress by Paul W. Parfomak. CRS-18 tolerant of error.55 Advocates of inherently safer technology state that its application would directly reduce security risks, because the hazard posing the security risk would be replaced or reduced.56 While acknowledging that not all chemical processes have inherently safer alternatives, advocates cite cases where inherently safer alternatives are known and could be employed.57 They claim that federal security legislation should require at least the consideration of these technologies when addressing chemical facility vulnerabilities. Industry trade associations are generally resistant to legislation mandating the use of, or incorporating a requirement to consider, inherently safer technology. They state that decisions regarding the use of inherently safer technology are weighed on a process and facility basis and are regularly considered by process engineers when optimizing and assessing process change.58 Additionally, they cite the potential to impact process safety negatively should inherently safer technology approaches be incorrectly implemented. For example, if stockpiles of a hazardous chemical are reduced, more, smaller shipments may be required. More connections would be required to transfer the same amount of material from smaller shipments. This might lead to greater risk for workers making these transfers. Lastly, industry trade associations express concern that if inherently safer technology implementation decisions are not made by process safety experts, future difficulties and potential impracticalities may arise.59 Another consideration discussed in the context of inherently safer technologies is the potential to transfer risk from one chemical facility to another chemical facility. Process changes, such as the conversion of wastewater treatment from chlorine as a disinfectant to sodium hypochlorite as a disinfectant, may lower the potential consequences at that facility, reducing the risk to the surrounding area. Those process changes may, however, increase the risk at a different point in the supply chain. For example, the facility converting chlorine into sodium hypochlorite may increase its chlorine stocks to address a greater demand for the sodium hypochlorite 55 For a more detailed discussion of the chemical process safety risk management aspects of inherently safer technology, see Robert E. Bollinger et al., Inherently Safer Chemical Processes; A Life Cycle Approach, American Institute of Chemical Engineers, New York, 1996. 56 For a representative view, see testimony of Carol Andress, Environmental Defense, before the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005. 57 See, for example, U.S. Public Interest Research Group, Needless Risk: Oil Refineries And Hazard Reduction, October 2003; Environmental Defense, Eliminating Hometown Hazards: Cutting Chemical Risks at Wastewater Treatment Facilities, December 2003; and Working Group on Community Right-to-Know, Unnecessary Dangers: Emergency Chemical Release Hazards at Power Plants, July 2004. 58 Testimony of Martin J. Durbin, American Chemistry Council, before the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005. 59 Testimony of John Chamberlain, Shell Oil Company, on behalf of the American Petroleum Institute, before the Senate Homeland Security and Governmental Affairs Committee on July 27, 2005. See also comments of James Conrad, American Chemistry Council, at “New Strategies to Protect America: Securing Our Nation’s Chemical Facilities,” Center for American Progress, April 6, 2005. CRS-19 end product, increasing the potential consequences surrounding that manufacturing facility. Depending on the relative population at each facility, fewer or more individuals may be put at risk by the facility process change. Safety regulation requiring the consideration of inherently safer technology has been developed on the state and local level. For example, New Jersey, in implementing the Toxic Catastrophe Prevention Act, requires the consideration of inherently safer technology for all new facilities and processes covered under the act.60 Contra Costa County, California, also requires the consideration of inherently safer technologies.61 Policymakers, in considering inherently safer technologies, may wish to assess whether new processes or facilities are fundamentally different than existing processes or facilities, and might benefit from a security requirement to consider inherently safer technologies.62 Consequences of Noncompliance. If new chemical facility security requirements are established, penalties for not meeting these standards might need to be determined. Civil or criminal penalties, such as fines, might be assessed against facility owners or operators, whose security did not meet program standards. If a tiered system of security requirements were established, penalties might be tiered as well. Some might argue though that the effect of tiering would be to lower penalties below what would be sufficient to ensure compliance, while others might contend that penalties should be more directly related to the criteria determining the tiering. A different approach to enforcing compliance would be to enable the federal agency implementing the chemical facility security program to prevent operation of a facility if it is out of compliance with the program. The U.S. Coast Guard is granted this authority under MTSA. Such language could be developed for any new program. Stakeholder concerns regarding such an authority would likely revolve around details of its use, such as the ability of a facility to appeal such authority. The authority to stop operation of a chemical facility due to insufficient security would directly affect the fiscal viability of a facility, providing a strong incentive to maintain compliance with security requirements. However, for those facilities with fiscal challenges, blocking their operation might significantly threaten the facility’s economic viability. Coordinating Regulatory Initiatives With Existing Efforts Policymakers may wish to coordinate chemical facility security approaches with existing state and federal regulation. Developing equivalent criteria, exempting facilities covered under other regulation, and determining whether federal standards 60 For more information on the New Jersey Toxic Catastrophe Prevention Act, see online at [http://www.nj.gov/dep/rpp/tcpa/download.htm]. 61 For more information on the Contra Costa County regulation, see online at [http://www.acusafe.com/Laws-Regs/US-State/CA_CCC_ISO.pdf]. 62 Differentiating between new and existing facilities may lead to unintended business effects. For an example from the Clean Air Act, see CRS Report RS21608 Clean Air and New Source Review: Defining Routine Maintenance by Larry Parker. CRS-20 preempt or form the base for state regulation are some of the options available to policymakers. MTSA and SDWA. The MTSA and SDWA, both of which cover some chemical facilities, mandate different regulatory agencies, security requirements, and authorities regarding noncompliance. The DHS, through the U.S. Coast Guard, implements the MTSA, while EPA implements the SDWA. SDWA requires vulnerability assessment, but not remediation, while MTSA requires both vulnerability assessment and remediation. The MTSA grants the Coast Guard the ability to close facilities that lack appropriate security, while the SDWA does not. Legislation affecting all chemical facilities could bridge these regulations and attempt to reconcile their requirements. Chemical facility legislation might require the higher standard to be applied to all chemical facilities, thereby requiring those water facilities that also qualify as a chemical facility to increase their site security activities. Alternatively, it might require all chemical facilities to meet the SDWA standard, leaving MTSA-regulated facilities with a higher security requirement. As a third option, new chemical facility security requirements might exempt facilities regulated under the MTSA or SDWA. State and Local Regulation. Two states have passed chemical facility security legislation. Policymakers may wish to decide how existing and proposed federal regulations might mesh with state requirements. While all states contain chemical facilities, depending on the facilities located in each state, the perception of likelihood and consequence of a terrorist attack may vary significantly. While some analysts assert that the potential consequences of an attack on a chemical facility are such that it poses a homeland security threat, others may claim that these facilities and the population surrounding them generally reside within the boundaries of single state and would be best served by state, rather than federal, regulation. Should Congress determine that chemical facility security is a federal homeland security concern, policymakers may need to address whether federal regulation will preempt state regulation, or if it will form the base from which states may impose stricter security requirements. Industry associations suggest that any new federal legislation should supercede state laws. An apparent concern is that allowing individual states to add security requirements above a federal minimum would lead to a patchwork of state regulation and, potentially, increased regulatory compliance costs. On the other hand, some federal regulations, such as environmental regulations on air emissions, allow states to enact additional regulations should the state wish to develop stricter standards. Voluntary Efforts. Some chemical facilities engage in security activities absent regulation. Policymakers may decide whether these actions should be rewarded. Potential mechanisms for recognizing these activities include economic offsets for security costs, granting exemptions from the regulatory framework for facilities undertaking voluntary efforts, and recognizing voluntary efforts with full or partial equivalency with regulatory requirements. Some analysts assert that voluntary efforts should not be rewarded, since a business incentive – reduced liability – already exists for chemical facilities to improve security. Furthermore, even with this incentive, current voluntary security activities may not rise to an acceptable level. CRS-21 Potential Approaches to Security Legislation In light of the various policy issues, four overarching legislative approaches emerge. The approaches are maintaining the current approach to chemical facility security; increasing available resources under existing authorities; enhancing existing programs with new authorities specifically related to chemical facility security; and creating new authorities to address chemical facility security. Maintain the Status Quo Some analysts and industry representatives submit that the current mix of voluntary and mandatory activities provide adequate security enhancements and that market forces are good drivers of chemical facility security needs.63 While acknowledging that mandates are needed, DHS Secretary Chertoff recognized the power of market forces, stating, “... we want to acknowledge and recognize that ultimately, the marketplace itself creates a very strong incentive through business self-interest in enhancing security.”64 Supporters of the status quo do not advocate for new chemical facility security legislation, but instead suggest that current security activities focusing on a public/private partnership with the DHS, coupled with federal support of local first responders and law enforcement, continue to provide chemical facilities with security. They assert that the voluntary chemical facility security measures are likely to be implemented at an appropriate and sustainable level based on the risk perceived by the facility owners and operators. Remaining at the status quo would likely not address criticism of the adequacy of voluntary security actions nor the degree of risk that chemical facilities pose to their surrounding communities. Those facilities identified by the DHS as not participating in voluntary security activities would still be potentially vulnerable to attack. The absence of federal legislation would not preclude state or local legislation. The perception of chemical facility risk may induce states to regulate such facilities, as has occurred in New York and Maryland. States might enact laws requiring security measures beyond the voluntary activities currently underway, should they deem such laws in the state interest. 63 For example, see testimony by Bob Slaughter, National Petrochemical and Refiners Association, before the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005, and testimony by Frank J. Cilluffo, Director, Homeland Security Policy Institute, The George Washington University, before the House Homeland Security Committee, Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity, on June 15, 2005. 64 DHS Secretary Chertoff, Transcript of Secretary of Homeland Security Michael Chertoff at the U.S. Chamber of Commerce, U.S. Chamber of Commerce, Washington, D.C., April 29, 2005. CRS-22 Provide Additional Resources Under Existing Law Another approach to increase chemical security might be to increase the available resources for federal support of chemical facilities. Currently the federal government provides limited financial support to select chemical facilities through MTSA related grants, but most DHS funding efforts focus on providing equipment to the first responders in communities surrounding critical infrastructure sites.65 Policymakers could direct DHS to develop mechanisms to provide support directly to high-risk chemical facilities, or to smaller, less profitable facilities. Alternatively, policymakers may wish to investigate other funding options, such as tax incentives or credits, to induce chemical facilities to voluntarily increase security. Given that federal homeland security resources are limited, determining what facilities should be eligible for such grants, incentives, or credits might prove to be challenging. Equitable distribution may also become a contentious topic, even if an appropriate risk metric is developed for chemical facilities.66 Finally, an increase in the availability of federal resources for chemical facilities would not address the issue of uneven chemical facility security across industry sectors due to voluntary participation. Some might continue to argue that the chemical facility security level would not be high enough to protect the surrounding population without federal mandate. Some analysts suggest that chemical facilities should bear the costs of chemical facility security.67 Since chemical facilities are generally for-profit companies which choose to manufacture products using hazardous materials, these analysts argue that the public should not bear the costs for reducing those risks. Instead, chemical facilities should recoup the cost of security through business activities, for example by passing on the costs of security to consumers. However, some chemical facilities, such as drinking water and wastewater facilities, may not be for-profit companies and may raise different issues in recouping security costs. Enhance Existing Law with Additional Authorities Should policymakers decide that the status quo does not meet national security needs, they could seek to strengthen current laws so that security needs are met. For example, while some suggest that the existing Clean Air Act provisions could already allow the EPA to regulate chemical facilities for security issues, others suggest that the Clean Air Act may not provide statutory authority allowing the development of 65 For information on homeland security related grants, see CRS Report RL32348 Selected Federal Homeland Security Assistance Programs: A Summary by Shawn Reese. 66 For an example of issues related to equitable distribution of homeland security funding, see CRS Report RL32696 Fiscal Year 2005 Homeland Security Grant Program: State Allocations and Issues for Congressional Oversight, by Shawn Reese. 67 Testimony of Richard Falkenrath, Visiting Fellow, Brookings Institution, before the Senate Homeland Security and Governmental Affairs Committee on April 27, 2005. CRS-23 such security regulation.68 Codifying security language into the Clean Air Act, for example, could provide explicit statutory authority to the EPA to oversee chemical facility security. Such language might build upon existing safety or environmental programs to increase security. The EPA and OSHA regulation of chemical facilities for environmental and safety purposes can be viewed in conflicting contexts. The existing regulatory relationship may not be amenable to the protective, cooperative relationship reportedly required for effective security because of historic disagreements over environmental impacts or worker safety. However, others identify close oversight and site visits for multiple purposes as effective in maintaining strong security. Augmenting existing law with additional authorities would likely not resolve concerns about an accurate calculation of the number of people potentially at risk from chemical facilities. It might also not address concerns regarding the risks from chemicals not currently regulated under existing law Facilities not currently included under these provisions would not be covered and any ranking or ordering of risk based on the worst-case scenarios might be viewed as unrealistic. Additionally, the concerns regarding EPA’s or OSHA’s experience in homeland security might lead some to question the skill with which those agencies might regulate chemical facility security. For example, assigning the EPA security oversight of chemical facilities would be inconsistent with the The National Strategy for Physical Protection of Critical Infrastructure and Key Assets, which assigned the DHS as lead agency for the chemicals sector. On the other hand, just as some are likely to question EPA and OSHA homeland security expertise, others are likely to question the background or readiness of DHS staff to make complex chemical risk assessments. Finally, this approach might result in facilities reporting to multiple federal agencies, for example those facilities that are regulated under the MTSA might also report to EPA or OSHA. Duplicative and redundant security reporting requirements may be inefficient or ineffective. Create New Security Authorities Another approach to increasing chemical security would be to create a federal agency statutory authority to oversee chemical facility security. Legislation with this goal has been introduced in the current and previous Congresses.69 A new security program might be structured like the MTSA or SDWA, or might incorporate aspects of other types of programs, such as EPA or OSHA safety programs. 68 Tim Starks, “Behind the Scenes: How the EPA Nearly Won — and Ultimately Lost — the Right to Regulate Chemical Security,” Congressional Quarterly: Homeland Security, March 9, 2005. See also Letter from Representative Billy Tauzin, et al. to Tom Ridge, Office of Homeland Security, The White House, June 19, 2002. 69 In the 109th Congress, see, for example, H.R. 1562 and H.R. 2237. In the 108th Congress, see, for example, H.R. 1861, H.R. 2901, S. 157, and S. 994. For a comparison of selected legislation in the 108th Congress, see CRS Report RL31958 Chemical Facility Security: A Comparison of S. 157 and S. 994 by Linda-Jo Schierow. CRS-24 A new security program might address concerns voiced by industry about the potential scope of chemical facility security. Existing programs and outreach efforts might be coordinated with any new program requirements by clearly identifying the target chemical facility universe. An assessment of the comprehensiveness of the defined facility universe of interest to legislators might determine any need to tier prospective security requirements. Such considerations might aid in avoiding overly burdensome regulation by identifying what facilities most require targeted security efforts. In establishing a new chemical facility security program, Congress could mandate security measures or leave details to the implementing agency. Mandating security measures would force the inclusion of technologies or methodologies deemed necessary by Congress. Establishing authority within the implementing agency to establish and adjust security requirements as necessary would allow the agency to address changing threats and vulnerabilities, but might allow critics to assert that statutory standards are too rigorous or not rigorous enough. If existing security legislation is used as the design basis for a chemical facility security program, coordinating requirements with those security programs may be easy. On the other hand, alignment of existing and new programs may ease coordination between regulatory requirements. Policymakers may wish to decide whether one program has precedence over the other, if the requirements of both programs are applicable to a facility, or if compliance with existing programs should exempt a facility from the new program. Similar questions arise with respect to state and local laws or ordinances, and whether a federal program could preempt them. Efforts to design any new federal chemical facility program could incorporate current state efforts as a starting criteria, or establish new standards. Creating a new federal program with less stringent requirements than existing state programs, and then preempting state programs, might lead to criticism that federal legislation reduced, rather than enhanced, chemical facility security in those locales. A new program which did not preempt state regulation, on the other hand, might be construed as allowing a mixture of state regulatory standards to be promulgated, creating a non-uniform regulatory and economic arena. On the other hand, a federal program might dissuade other states from enacting additional, potentially conflicting laws. Finally, a new chemical facility security program might incorporate current voluntary efforts as part of, or in lieu of, meeting the federal program requirements. If policymakers accept current voluntary efforts in lieu of federal program requirements, creating, for example, an exemption for facilities already engaged in security efforts, critics may challenge the program as not establishing a stringent enough standard. Alternatively, creating a program with requirements at great variance with current voluntary security efforts, essentially causing those efforts to not be applicable to the new regulatory program, might be criticized as penalizing those facilities taking positive steps towards reducing vulnerability. Developing an assessment or audit methodology for voluntary security efforts might provide a new chemical security program with criteria to compare voluntary efforts with any new program requirements. Thus, any voluntary security efforts that aligned with the CRS-25 regulatory intent of policymakers would be valued while those that did not align would not be. CRS-26 Appendix A The EPA RMP*INFO database provides information on industrial classification of the reported chemical processes. CRS analyzed the worst-case scenario data reported by each facility to the EPA. CRS identified which reported chemical process at each facility potentially affected the greatest number of persons in a worst-case release. CRS used the NAICS code reported for this chemical process as the NAICS code for the facility. CRS combined NAICS codes to provide descriptions of critical infrastructure sectors. In some cases, CRS collapsed four, five, and six digit NAICS codes for the purposes of clarity. NAICS codes from 1997 were converted into 2002 NAICS codes when found. The combination of NAICS codes presented here is one of many possible approaches. The manner by which NAICS codes are sorted into critical infrastructure sectors affects which facilities would be impacted by policy decisions about and approaches towards particular critical infrastructure sectors. For a list of NAICS codes used to model critical infrastructure sectors, see Table 2. Table 2. NAICS Codes Used to Model Critical Infrastructure Sectors from EPA RMP Data Sector Food and Agriculture NAICS Code NAICS Description Number of Facilities (10,000 Threshold) Number of Facilities (100,000 Threshold) 111 Crop Production 9 1 112 Animal Production 2 0 311 Food Manufacturing 358 12 312 Beverage and Tobacco Product Manufacturing 37 1 4244 Groceries and Related Products Merchant Wholesalers 11 0 4245 Farm Product Raw Materials Merchant Wholesalers 9 2 23 1 1 1 11511 Support Activities for Crop Production 11521 Support Activities for Animal Production CRS-27 Sector Water Chemicals NAICS Code NAICS Description 42382 Farm and Garden Machinery and Equipment Merchant Wholesalers 42491 Farm Supplies Merchant Wholesalers 42499 Number of Facilities (10,000 Threshold) Number of Facilities (100,000 Threshold) 1 0 104 5 Other Miscellaneous Nondurable Goods Merchant Wholesalers 1 0 44422 Nursery, Garden Center, and Farm Supply Stores 8 1 44523 Fruit and Vegetable Markets 1 0 49312 Refrigerated Warehousing and Storage 141 3 49313 Farm Product Warehousing and Storage 13 0 Food and Agriculture Sector Total 719 27 22131 Water Supply and Irrigation Systems 543 61 22132 Sewage Treatment Facilities 408 43 56221 Waste Treatment and Disposal 11 3 92411 Administration of Air and Water Resource and Solid Waste Management Programs 4 0 Water Sector Total 966 107 325 Chemical Manufacturing 581 298 326 Plastics and Rubber Products Manufacturing 3 2 141 59 5 1 4246 Chemicals and Allied Products Merchant Wholesalers 4247 Petroleum and Petroleum Products Merchant Wholesalers CRS-28 Sector NAICS Code NAICS Description Number of Facilities (100,000 Threshold) 21111 Oil and Gas Extraction 2 0 21311 Support Activities for Oil and Gas Operations 4 2 32411 Petroleum Refineries 76 35 32419 Other Petroleum and Coal Products Manufacturing 1 1 48832 Marine Cargo Handling 4 1 49311 General Warehousing and Storage 10 2 49319 Other warehousing and storage 20 6 847 407 56 19 4 0 Chemicals Sector Total Miscellaneous Number of Facilities (10,000 Threshold) 322 Paper Manufacturing 327 Nonmetallic Mineral Product Manufacturing 331 Primary Metal Manufacturing 42 13 332 Fabricated Metal Product Manufacturing 20 2 333 Machinery Manufacturing 1 1 334 Computer and Electronic Product Manufacturing 15 3 335 Electrical Equipment, Appliance, and Component Manufacturing 2 1 336 Transportation Equipment Manufacturing 3 0 339 Miscellaneous Manufacturing 1 0 CRS-29 Sector NAICS Code NAICS Description 2122 Mining (except Oil and Gas) 2211 Electric Power Generation, Transmission and Distribution Number of Facilities (10,000 Threshold) Number of Facilities (100,000 Threshold) 2 0 71 11 22133 Steam and Air-Conditioning Supply 3 0 31323 Nonwoven Fabric Mills 1 1 45399 All Other Miscellaneous Store Retailers 2 0 45439 Other Direct Selling Establishments 2 0 48211 Rail Transportation 3 3 48411 General Freight Trucking, Local 1 0 48821 Support Activities for Rail Transportation 7 5 48831 Port and Harbor Operations 1 0 48849 Other Support Activities for Road Transportation 1 0 48899 Other Support Activities for Transportation 1 0 56179 Other Services to Buildings and Dwellings 21 0 56199 All Other Support Services 2 0 56299 All Other Waste Management Services 1 1 71399 All Other Amusement and Recreation Industries 2 0 81131 Commercial and Industrial Machinery and Equipment (except Automotive and Electronic) Repair and Maintenance 2 1 CRS-30 Sector NAICS Code 92811 NAICS Description Number of Facilities (10,000 Threshold) National Security No NAICS Code Provided Miscellaneous Total Total Number of Facilities Source: CRS analysis of the EPA RMP*National Database (with off-site consequence analysis (OCA) data), updated May 2005. Number of Facilities (100,000 Threshold) 2 1 10 1 279 63 2811 604