John Holmes, session chair, opened by discussing the importance of providing security to critical infrastructure, in part because of the impact that infrastructure has on the economy. The Port of Los Angeles, where he was director of operations for 7 years, handles approximately 43 percent of all of the cargo coming into the United States.1 If the port is shut down, the impact on the U.S. economy would be several million dollars per day.2 Holmes and his colleagues are obviously very concerned about critical infrastructure security, including chemical facilities.
Securing Chemical Facilities: Recent American Experiences and Lessons Learned
Nancy Jackson provided context for her comments by stating that Sandia National Laboratory conducted the first post-September 11, 2001 (9/11) security assessment on the Los Angeles-Long Beach Port Complex. As a result of this experience, she spoke not only about the security of facilities, but also about keeping chemicals safe from being misdirected or stolen for use as explosives or in making illegal drugs. Methamphetamines and similar drugs are a significant problem in the United States. There is also concern about facilities being sabotaged, and the chemicals being used as weapons once the facility is compromised. The release of chemicals can cause all kinds of problems.
It is important to limit access to chemical facilities. Before the 9/11 attacks, this was not done very well. There were few, if any, security checks, or
1Congressional Budget Office. The Economic Costs of Disruptions in Container Shipments. March 29, 2006. Figure 1. Available at: http://www.cbo.gov/sites/default/files/cbofiles/ftpdocs/71xx/doc7106/03-29-container_shipments.pdf; accessed September 18, 2014.
2Capps, L. “Recognizing the 100th Anniversary Year of the Founding of the Port of Los Angles.” In Capitolwords, vol. 153, no. 185, December 5, 2007. Available at: http://capitolwords.org/date/2007/12/05/H14212_recognizing-the-100th-anniversary-year-of-the-foun/; accessed September 20, 2014.
checks on personnel that worked in chemical factories. In Japan in 1995, Aum Shinrikyo was able to recruit several chemists to help them make sarin gas, which they released in the Tokyo subway.3 In addition to the chemicals themselves, chemistry expertise and cybersecurity are important for ensuring safety and security at a facility. The latter is important at chemical facilities and large manufacturing sites because cyberattacks may be used to sabotage a plant.
Chemicals have a unique role in weapons of mass destruction. They are different from biological, radiological, or nuclear materials in several ways. There are chemicals everywhere, and many of them have dual uses. Isopropanol can be purchased at drug stores in the United States. It can be used to clean a wound or clean eye glasses. Isopropanol can also be used to make sarin. There is a lot of isopropanol currently being removed from Syria, for example.4 Chemicals are also essential for an economy. Almost all products on the market today started from chemicals. The size of a country’s chemical industry can often be a sign of the size of a country’s economy. As a result of their importance, it is not possible to lock chemicals away as one can secure uranium or plutonium. Rather, chemicals management is required from cradle to grave, beginning to end. Management of the entire chemical life cycle is needed for security purposes, whether it is management during production, use, transportation, storage or disposal.
However, there must be a balance, because one does not want to inhibit economic development by being too focused on security over production. Therefore, decisions should be driven by a calculation of risk. Risk is a function of probability that an incident will occur and the severity of the event. With nuclear incidents, the severity of the event could be quite great, but the likelihood of such an event occurring is low. Whereas with a chemical incident, the likelihood of an event occurring is probably higher and the severity is probably lower. That does not mean that security is not needed. There are a number of different components to a secure chemical system using administrative, operational, engineering, and protective equipment. There are several voluntary codes that include these aspects of chemical control and management. One of the industry codes is the Responsible Care Security Code,5 which addresses environment, health, safety, and security considerations related to handling of chemicals. Jackson believes that Responsible Care has been so effective and successful in part be-
4See Bendavid, N. “International plan calls for removing Syria chemical weapons in months.” Wall Street Journal, November 15, 2013. Available at: http://online.wsj.com/news/articles/SB1001424052702303559504579200411985935566; accessed September 22, 2014.
5American Chemistry Council. Available at http://responsiblecare.americanchemistry.com/Responsible-Care-Program-Elements/Responsible-Care-Security-Code/PDF-Responsible-Care-Security-Code.pdf; accessed September 22, 2014.
cause it combines all of these ingredients. Much of what one can do to make chemical processes safe also makes them secure as well.
In the United States, large companies comply with the Responsible Care Security Code more frequently than do smaller companies. Often a large chemical company will ask another organization to conduct an informal audit to ensure that the company is complying with the code in a kind of “red-teaming” effort. The problem with Responsible Care is that its implementation in particular can be very expensive even though there is a prioritization and assessment of the sites and more security is applied to sites where there are more toxic chemicals or high-pressure situations.
There is another set of codes that has recently been developed for use in smaller chemical and pharmaceutical companies or their contract synthesizers called ChemStewards.6 These codes also address environment, health, safety, and security. These ChemStewards codes are very helpful for smaller companies.
The U.S. National Association of Chemical Distributors also has a code of management that is very oriented toward making sure that chemicals are distributed in a highly responsible way. Distribution is often where problems of non-state actors misusing chemicals enter the chemical life cycle. Chemicals are sold to someone thought to be legitimate, but they may not be. Chemicals could then be diverted to make explosives or to make poisons for water or to make drugs, et cetera. In many countries, the distribution system is where the greatest diversion of chemicals occurs. The National Association of Chemical Distributors code states the necessity of always knowing the customer and knowing that the customer is reliable and will take care of the chemicals well. In the United States, some chemical distributors, Sigma Aldrich, for example, have made it a priority to never have the Federal Bureau of Investigation (FBI) find one of their bottles in a methamphetamine laboratory. They are motivated to implement the code thoroughly.
The U.S. government also developed the Chemical Facility Anti-Terrorism Standards (CFATS) in fairly close coordination with the chemical industry. These regulations begin with an assessment of risk on a facility-by-facility basis, determining which chemicals are being used. The Department of Homeland Security (DHS) has identified a number of chemicals that they call “chemicals of concern.” If a facility has large quantities of chemicals of concern, then the regulations are to be followed thoroughly. Facilities with fewer chemicals follow the regulations appropriate to their facility. The CFATS are not just for traditional chemical production. Other facilities under CFATS include paint manufacturers and universities. The goal is to not transfer risk to the surrounding community. This is what happened in the West Texas explosion in 2013. When the ammonium nitrate manufacturing facility blew up, a large part of the town was destroyed. In addition, following the explosion, there was some suspicion that there had been attempted
theft of ammonia, a key ingredient in methamphetamines. If someone were to steal 10 gallons of ammonia, it may not have been noticed at such a large facility. If a person attempting to steal ammonia does not close the valve properly, eventually there will be significant safety problems.
Jackson then discussed vulnerability assessments (VA), which are an aspect of all of the codes she mentioned. The primary goal of a VA is to go through a systematic process to determine vulnerabilities at a particular facility. With this information, facility operators can work to improve security at those points deemed vulnerable to a security breech. A VA does not require sophisticated equipment. She then shared a very typical chemical security risk assessment as an example. First, there is an evaluation of possible threats. Threats may include those who may steal certain chemicals to make illegal drugs or explosives. Second, there is an evaluation of risks posed by those threats. How difficult would it be for that person to break in and either steal chemicals or use them to cause harm at the facility? Third, the risks that were identified must be categorized and adequate responses must be determined. VAs are developed to address security concerns, but the same process can be followed with regard to environmental and safety concerns. To be most effective, VAs need to be conducted in the context of a holistic assessment of the facility. There are several ways this may be done. One may conduct a laptop exercise to determine what might happen if someone broke in. At the other end of the spectrum is performance testing, which involves the facility and the facility security personnel performing their duties in response to mock security threats, which may include force-on-force exercises (with no live fire).
In the United States and in many other parts of the world, there is a considerable effort to make facilities more inherently safe and secure. This is accomplished by substituting more toxic chemicals with less toxic chemicals where possible, developing processes that operate at lower pressures; and minimizing the amount of solvents used, particularly flammable solvents. By using smaller quantities of chemicals and safer chemicals, or by making any necessary highly toxic chemical components on-site to avoid having to transport them, processes and facilities can be more secure. Jackson concluded with an example. Chlorine is a very effective means of purifying water, but it can be, and in fact has been, used as a weapon. Therefore, water purification companies in the United States use peroxide made by using ultraviolet light. Science has helped develop ways to use fewer dangerous chemicals and to keep those we do use them safe and secure.
Current Issues and Possible Solutions to Preventing Accidental or Intentional Chemical Incidents
B. Karthikeyan then provided an overview of the chemical industry in India, followed by an overview of human-caused accidents and incidents, and terrorist acts involving chemicals. The Indian chemical industry is a key part of
economic growth, generating revenue of $108 billion. This figure is expected to reach $224 billion by 2017.7 To promote development, the Indian government has formed exclusive zones intended only for the chemical industry, where the cluster of chemical industries at the primary plant can supply the downstream units more efficiently.8 These zones are all located in a central area with developed infrastructure.
Currently in India, there are also about 1,900 Maximum Accident Hazard (MAH) units, many are in the small-scale sector as in any developing nation. Small-scale and medium-scale facilities make up most of the Indian chemical industry. MAH units must follow the Major Accident Hazard Control Rules. Following the accident at Bhopal, a number of changes were made to Indian laws. However, when examining practices on the ground, Karthikeyan sees a gap between laws and implementation. In addition to formal legislation, there are also some voluntary measures taken by the chemical industry itself. The Responsible Care Security Code is now being used in India. Process Safety Management (PSM) still is not mandatory in India, although the government is considering making it mandatory. Many big companies have undertaken Occupational Safety and Health Administration PSM. Concluding the overview, Karthikeyan noted that as the education levels in India increase, media is playing a larger role in raising awareness about the chemical industry because negative perceptions about chemical industries are rampant, just like in any other country.
Karthikeyan then turned to the prevention of accidents. Many of the major accidents that have occurred after Bhopal were caused by human error. The most recent incident, unfortunately, happened just a few months before this workshop in one of the major refineries run by the government of India; 28 people died in the accident. Indian factory rules are from 1947, and while some amendments have been made and some changes are on the way, considerable improvement and modernization of these laws are needed. The end result is that law enforcers do not have proper training on process safety management, which is a critical issue.
Another issue is siting. Chemical industries are given permission to operate in less populated areas, but over time, the population grows to fill in the area surrounding the chemical facilities. When quantitative risk assessments are done, the population is estimated to be a certain size. However, by the time the risk assessment is complete a year later, Karthikeyan said, the population has often dramatically increased, so the whole risk assessment is no longer realistic. There are chemical industries located next to shantytowns, and there are wealthier, well-built houses just next to their compound. What would happen in the event of an accident? From a security point of view, since anyone could rent or
7Government of India Planning Commission. “India Chemical Industry: Five Year Plan – 2012-2017.” Available at: http://planningcommision.gov.in/aboutus/committee/wrkgrp12/wg_chem0203.pdf; accessed October 16, 2014.
8These zones are called Petroleum, Chemicals and Petrochemicals Regions.
build a house very close to the chemical factory, it could be put at considerable risk. Chemical plants are relatively easy targets for terrorists due to the lack of adherence to facility siting rules. Karthikeyan said that this has become such a serious issue now that some privately owned chemical industries are spending their own money on land outside of their boundary walls to create a no-man zone.
Karthikeyan provided the example of the fire in Jaipur at the Indian Oil Corporation’s facility.9 This was a very large oil depot fire. In this incident, the wall of houses were built close to the facility, even though rules mandated that no residences be allowed close to such installations.
A greater focus is placed on occupational health and safety reporting than on process safety, again because small- and medium-scale industries are not required to invest resources in improving process safety. The retirement of employees with years of experience contributes to these challenges. The average age in India is now 27 or 28 years old, which is affecting all industries, especially the chemical industry, because it is considered to be a harsher work environment as compared to the information technology industry or the software industry. This is compounded by a significant knowledge deficit in the chemical industry. The undergraduate curriculum in chemical engineering does not yet address process safety. It is still an elective, not a core subject. Lab-to-plant scale-up is often done without proper study, especially for batch processes; inherent safety is not applied as a means of incident prevention.
Karthikeyan organized his possible solutions into several categories. One is in the area of legislation. In his view, PSM rules need to become mandatory. Then law enforcement must be trained on PSM so that they can enforce the rules. The Chemical Safety Security Rating System also needs to be implemented. This is the new initiative that the government proposed a few months earlier and is in the initial stage of development.
Another solution lies in the area of industry involvement. Currently, there is a lack of sharing of incident databases in India, mainly because industry is worried that if they expose skeletons in their closet they may make themselves more vulnerable. Industry also needs to develop a means of communication with their boards of directors about process risks even if it is difficult. Many times the board does not know what is actually happening at the site, which affects their ability to make decisions. Simulations may be an effective means of conveying the vulnerabilities. This is an area where academia can help, because there are many similar processes. Training simulators are very expensive; therefore a number of chemical industries could jointly fund simulation models required for training. Large- and middle-scale industries should pool their resources, Karthikeyan said. PSM performance ratings should not only be made available to boards of directors, but also to the public.
Karthikeyan turned to preparation of the next generation of chemical industry employees, saying that undergraduate curricula should require appropriate training. Students and faculty may also provide technical support for small- and medium-scale industries. Karthikeyan observed that throughout India, small- and medium-scale industries do not have resources that academia has for inherent safety and environment safety. There is a need to address the gap in education on all levels that must focus not only on technical ways to improve safety and security at chemical facilities, but also one way to change the mindset of the S&T communities and the general public about the significance of these issues.
Regarding international terrorism, Karthikeyan recounted the incident when a crude oil tank at the Digboi Refinery in northeastern India in 2003 caught fire due to a hand-held missile attack.10 There are also terrorist threats to the Jamnagar Refinery, which is the largest refinery in India and is located near the border with Pakistan. There have been reports of objects hovering around the refinery. Despite siting rules, terrorists can come quite close to chemical plants. Here there are a variety of vulnerabilities. The first one is the poor quality of roads. India has one of the highest rates of road-related fatalities in the world, approximately 140,000 annually.11 The government is focusing heavily on road safety, but they have not focused on over-land transport of hazardous materials vulnerable to terrorist attacks. This is one area of deep concern because large quantities of liquefied petroleum gas are transported by oil tankers. These tankers are vulnerable, particularly as they move through heavily populated areas.
Regarding oil and gas pipeline networks, the threats are similar to those in the United States. Pumping stations are in remote locations, and typically there is only one security guard on duty. In addition, the oil and gas pipeline network is expanding. For example, the gas field on the east coast of India will require the construction of gas pipelines leading to southern India.
India has approximately 13 major ports, many of which handle chemicals.12 Currently, 21 different ministries have some responsibility for these ports.13 A coordinated approach is needed. Following 9/11, the International Maritime Organization developed a mandatory code called International Ship Port Facility Security (ISPS).14 All major Indian ports are certified by ISPS. However, there is a safety and security gap. There are a number of fertilizer fac-
10Gupta, Barun Das. “Blaze in Digboi Refinery as UFLA Attacks Oil Installation.” The Hindu, March 9, 2003. Available at: http://www.thehindu.com/thehindu/2003/03/09/stories/2003030905340200.htm; accessed October 17, 2014.
11Ministry of Road Transport and Highways, Government of India. “Road Accidents in India 2013, Section I, Accidents on Indian Roads 2013, #2, Recent Trends.” Available at: http://data.gov.in/catalo/total-number-persons-killed-road-accidents-india; accessed October 17, 2014.
tories in India, many of which are located on the coasts because some of them import ammonia by ship. Karthikeyan described an example of an ammonia storage tank on the southern coast of India that has a sub-sea pipeline that runs 4.5 kilometers into the sea with a buoy mooring system. Divers pick up the hose, connect it to the ship, and then ammonia is pumped out. This facility is covered under ISPS because it is similar to a port. The storage tank is however exposed to vulnerabilities from the seacoast. This is one area of great concern because there are a number of liquefied natural gas and ammonia tanks located in the coastal areas.
What are the possible solutions? Jackson mentioned security VAs, conducted with common sense and good tools; these should be mandatory in India for chemical security. The existing Manufacture, Storage and Import of Hazard Chemical Rules are mandatory for an established quantity of any of the listed 684 chemicals.15 Facilities with any of those chemicals could be required to conduct a VA.
Implementation of these laws, regulations, and rules should be enforced, perhaps through surprise drills, security audits, and training. This would require a coordinated approach, which is currently lacking. There are individual steps being made, such as those facilities using the global positioning system to track transport of hazardous chemicals on roads, but currently there is no integrated picture.
Karthikeyan concluded his remarks by recalling the recent attacks on an Algerian facility.16 One of the lessons learned from the attack was that they had standard operating procedures for terrorist attacks, and they trained on how to respond if there was a terrorist attack. The terrorists hijacked a bus in which employees were coming from their secure residential area, and they attacked and killed a guard. Before the guard died, he activated the terrorist alarm button, and as a result, the plant underwent an emergency shutdown. A major disaster was avoided due to these procedures. These threats cannot be wished away; they are here to stay, and we need to be prepared for them. A great deal of research needs to be conducted because India is a unique mix of cultures and peoples, and there is an equally diverse mix of terrorists around the world.
Norman Augustine began the discussion by sharing a hypothetical situation. A company that makes a product wants to produce it safely and securely,
15Ministry of Environments and Forests, Government of India. “Manufacture, Storage and Import of Hazardous Chemical Rules, 1989.” Available at: http://enfor.nic.in/legis/hsm/hsm2.html; accessed October 17, 2014.
16Trindal, Joseph. “Gas Refinery Attack in Algeria: Lessons Learned.” Domestic Preparedness Website. Available at http://www.domesticpreparedness.com/Infrastructure/Building_Protection/Gas_Refinery_Attack_in_Algeria%3A_The_Lessons_Learned/; accessed October 17, 2014.
but must make trade-offs in its spending. When trying to explain the trade-offs to the regulator or to the public or to the media, the company wishing not to spend all of its funds on safety and security will be asked: Don’t you want to be safe? Don’t you want to be secure? This is a difficult position for the person wanting to produce the product to defend. However, security controls can be extreme, and they affect the company’s ability to produce the product.
Jackson responded to this scenario by stating that the CFATS have been successful because they were developed with industry as an industry-government partnership. The American Chemistry Council, which is the largest chemical industry association in the United States, worked very closely with DHS to develop those regulations, which made a real difference.
Karthikeyan added that, in India, security for facilities in the public sector is provided by the Central Industrial Security Force (CISF). Regarding private industries, some of them do request the help of CISF, and some of them employ their own private security guards. In trying to address the trade-offs between production and security, cost is important, as is convincing top management that the threat, which they do not see, is important as well. Something that does not happen does not alarm people, and most of the reaction comes after an incident happens. He sometimes refers to this as a risk cataract. The eyes of management may be clouded, and they believe that because nothing has happened, nothing will ever happen. There is tremendous pressure placed on Indian managers, and no doubt on U.S. managers as well, to cut costs. Cutting costs without analyzing its effect on process safety was one of the root causes of the Bhopal disaster.17 How does one convince management of perhaps the largest challenge after a security VA or a risk assessment of product safety? How does one convince top management that this is necessary? There is still a long way to go.
Another workshop participant asked about how “acceptable risk” is determined. In the case of nuclear plants, there is a tendency to define acceptable risk from a nuclear plant as less than that from a conventional power plant. How does one decide on acceptable levels of risk for chemical plants? Is there a reference point?
Karthikeyan shared his observation that chemical companies focus more on marketing risk and financial risk, and often less on operational risk. All of the large chemical companies have a corporate risk philosophy, but the general tendency is to focus less on process risk. Some large chemical companies in India are developing process risk models based on their overall corporate risk approach, and every company has a different approach.
Michael O’Brien shared his experience that not all VAs are the same. There are some that are more like a checklist with metrics that are often used to determine a particular score, which is either good or not good. In reality, this type of VA does not mean anything when compared with a scenario-based or
17Lees, Frank P., ed. Lees’ Loss Prevention in Process Industries. Volume 3, Appendix 5. Burlington, MA: Elsevier Butterworth-Heinemann, 2005.
performance-based VA. O’Brien asked what type of VA is conducted at chemical facilities in the United States and in India.
Jackson replied that DHS has a vulnerability assessment methodology on their website that must be followed by all Tier-1 through Tier-4 facilities in the United States. This produces some consistency in assessments, which are both scenario based and performance based. She was uncertain as to whether or not insider threat analysis is included in the DHS VAs. Some of these simulation exercises would be appropriate for cooperation between Indian and U.S. experts.
Karthikeyan continued that India is still at the very initial stages of developing VAs. Basic checklists are being completed by typical security agencies looking at intrusion prevention. India still has a lot to learn from American experience and the CFATS Tier-1, Tier-2, and Tier-3 facilities. In India, improving process safety is the primary focus and security is slowly being addressed. He also agreed that the issue of insider threat analysis is important to address with regard to VAs in India because the country will face a shortage of 14,000 chemical engineers over the next 5 years. Approximately seven to eight million skilled people will be needed in the industry.18 The practice of performing background checks on those who enter this workforce has not yet started in India to Karthikeyan’s knowledge.
In reference to management cutting costs, a participant stated that the government of India and the state governments have an overall responsibility for the welfare and safety of its citizens. Particularly after the disaster at Bhopal, there should be rules and regulations in place that require a company to conduct risk assessments approved by the government. Assessments should address two aspects of risk: the risk to the public and to the people living nearby, and the risk to the facility employees. It is surprising that so many years after Bhopal, the government would not have developed regulations and would give this discretion to companies. The other problem is that cost cutting occurs at the unit level. For example, in the BP Texas City Refinery disaster, the BP board in London passed a directive to cut 25 percent of fixed costs in all of their refineries, so units started cutting costs. It is the responsibility of the unit to explain the risk involved in cutting those costs to boards of directors.19 This communication is currently inadequate.
Karthikeyan replied that after the Bhopal disaster, one of the regulations that was changed pertained to publicly held companies. Under this regulation, someone on the board of directors is classified as an “occupier.” The occupier can be criminally prosecuted for any accident that happens in any facility owned
18National Skill Development Corporation. Human Resource and Skill Requirement for the Chemical and Pharmaceuticals Sector (2022). A Report. Available at: http://www.nsdcindia.org/pdf/chemical-pharma.pdf; accessed on October 24, 2014.
19U.S. Chemical Safety and Hazard Investigation Board. “Investigation Report: Refinery Explosion and Fire (15 Killed, 180 Injured), BP, Texas City, Texas, March 23, 2005.” Available at: http://www.csb.gov/assets/1/19/CBSFinalReportBP.pdf; accessed October 17, 2014.
by that company.20 The positive aspect he has seen over the last 5 years is the number of criminal prosecutions of ‘occupiers’ who are primarily board directors of companies is increasing. This is a visible sign that enforcement is occurring.
An additional challenge is in enforcement of existing regulations. Karthikeyan stated that safety inspections do take place; however, one of the largest issues the enforcing authorities face is the lack of an adequate number of people who can serve as inspectors. Corruption is also a significant issue. On the other hand, there are people who genuinely do their job, but they are stretched to the limit. They cannot cover all of the industries. It is a very fluid situation where nothing is entirely known. Although India has a large workforce, there needs to be a clear intention on the part of the government to implement these regulations and to hire and train adequate professionals to ensure this implementation.
Rita Guenther asked a question regarding whether or not there are threshold limits placed on the quantities of chemicals allowed for sale to a particular type of customer. For example, if one were to accumulate a large amount of chemicals in smaller batches, would anyone detect that? How are Internet sales tracked if there are thresholds? Her second question pertained to priority areas for scientific cooperation between India and American experts to address the gaps that need to be addressed.
Jackson replied to the question regarding threshold limits on sales and purchases of chemicals. In any chemical regulation, whether it is the United Nations Chemical Weapons Convention or the U.S. Anti-Chemical Facility Anti-Terrorism Standards Authorization and Accountability Act, there is always a threshold regarding sales of chemicals. However, there are also other various thresholds, including for storage, use, purchase and transportation, and these become extraordinarily complicated. Regarding cooperation, a critical area is that of teaching a culture of safety and security. U.S. universities have not been very good at developing even a culture of safety within chemistry departments until very recently, after there were several deaths due to very bad accidents.
With regard to scientific cooperation in this area, Karthikeyan offered three prioritized areas related to terrorism. One would be sharing experiences about security and VAs, especially how they have been conducted and what has been learned through the process of having conducted these analyses. A second priority area for cooperation is road transport. How can experts prepare for responses to terrorist attacks on hazardous materials? This is an area in which Indian experts can learn from American colleagues, particularly those who have been involved in the establishment and development of DHS. The third priority area for cooperation involves the best ways to manage a myriad of law enforcement agencies.
20The Factories Act, 1948 (Act No. 63 of 1948), as amended by the Factories (Amendment) Act, 1987 (Act 20 of 1987). International Labour Organization. Available at: http://www.ilo.org/dyn/natlex/docs/WEBTEXT/32063/64873/E87IND01.htm#a085; accessed October 17, 2014.
Recent Indian and American Experiences in Cooperating on Food Security
Vedpal Yadav presented approaches of the U.S. Food and Drug Administration (FDA), based on his close collaboration with FDA, in his experience with food security in India. Yadav dedicated his talk to the more than 20 children who died from contaminated food in an incident in Chapra, Bihar, in 2013. He began by making distinctions among food safety, food defense, and food security. Food safety encompasses the efforts to prevent accidental (unintentional) contamination of food products (see Figure 3-1). Food defense encompasses the efforts to prevent intentional contamination of food products (i.e., human intervention as the source of contamination). Food security is a term that is now used more broadly to include both physical and economic access to food that meets people’s dietary needs. The World Health Organization defines food security as being achieved when all people at all times have access to sufficient, safe, nutritious food to maintain a healthy and active life.21
FIGURE 3-1 Food safety includes efforts to prevent accidental (unintentional) contamination of food products. A contaminated mid-day school meal was the result of a food safety accident and killed more than 20 children in Chapra, Bihar, India, on Tuesday, July 17, 2013. SOURCE: Yadav, 2014.
21World Health Organization. “Rome Declaration on World Food Security and World Food Summit Plan of Action.” World Food Summit, November 13-17, 1996. Available at: http://www.fao.org/wfs/index_en.htm; accessed September 18, 2014.
Yadav said that there is a spectrum of motives for intentional food contamination, from extremist groups to economically motivated adulteration (the melamine in Chinese milk is an example). He pointed out that the food supply is a soft target for terrorists because contamination of the food supply has the potential to cause significant health consequences, to cause widespread public fear, and to adversely affect the economy, leading to food insecurity. The complex nature of the food supply, with many inputs and outputs, makes it particularly vulnerable to intentionally introduced contaminants. Furthermore, such incidents of contamination may easily spread across international boundaries because in the 21st century, the food supply chain is truly global. The United States Department of Agriculture (USDA) has conducted vulnerability assessments that demonstrate that a deliberate contamination of the food supply has the potential to cause mortality rates from 1,000 to up to 300,000 deaths depending on the commodity, the agent used, and where in the supply chain the contaminant was added. Beyond the immediate health effects, such incidents could have a devastating effect on the economy, into the billions of dollars,22 and cause widespread fear.
Yadav stated that the problem is particularly complex in the United States, where approximately 75 to 80 percent of seafood is imported, 50 percent of fresh fruits are imported, and agricultural imports are close to $80 billion annually. Further, in the United States, agriculture accounts for about $1.24 trillion of the gross domestic product, and about 2 percent of all U.S. jobs (held by 24 million Americans) are directly employed in the agricultural sector, and one in six U.S. jobs are related to agriculture.
Contamination can occur at any point in the food chain: in the crop-growing stage or as a result of contaminated livestock, and the food-processing distribution, storage and transportation phases are also at risk of intentionally or unintentionally introduced contamination. There is a wide variety of intentional and unintentional contaminants about which experts worry. Unintentional contaminants include Escherichia coli, Salmonella, Listeria monocytogenes, pesticide residues, polychlorinated biphenyls, and furans; intentional contaminants include Bacillus anthracis (anthrax), Clostridium botulinum toxin, Yersina pestis (plague), arsenic, cyanide, ricin, plutonium-238, and cesium-137.
Yadav emphasized that there is a great deal that can be learned from food safety related to outbreaks, and these lessons can be applied to food defense scenarios. An unintentional incident, for example, can tell us what impact an intentional contamination incident may have on the food supply, on public health, and on public reaction. He provided the example of an unintentional incident that occurred in the United States in September 1994, when an estimated
22Based on USDA estimations on the economic value of food-related industries. See, for example, USDA, Economic Research Service. “Ag and Food Statistics: charting the Essentials.” Available at: http://www.ers.usda.gov/data-products/ag-and-food-statistics-chartingthe-essentials/ag-and-food-sectors-and-the-economy.aspx#.VBtkiGMcXYA; accessed September 18, 2014.
224,000 people became ill when ice cream was contaminated with Salmonella serotype Enteritidis.23 Hospitalization was required for 30 of 112 patients.24 The ice cream was produced at a single facility, and was most likely contaminated in transit when the pasteurized ice cream mix was transported in a truck that had previously carried raw liquid eggs. Further, on July 27, 2013, an unintentional incident occurred in Chapra, Bihar, India, when a contaminated midday school meal killed more than 20 children. The cause of the incident was determined to be organophosphorous pesticide mixed in cooking oil.25
The United States also experienced an intentional incident in 1984, when a cult member introduced Salmonella bacteria into restaurant salad bars. The intent of the perpetrators was to affect the outcome of a local election and resulted in 751 reported illnesses, and the hospitalization of 45 people (see Figure 3-2).26
FIGURE 3-2 Food defense encompasses efforts to prevent intentional contamination of food products. In 1984, cult members in the U.S. state of Oregon added Salmonella bacteria to restaurant salad bars. SOURCE: Yadav, 2014.
23Hennessey, T.W., et al. “A National Outbreak of Salmonella enteritidis Infections from Ice Cream.” New England Journal of Medicine, vol. 334, no. 20, May 16, 1996. Available at: http://www.nejm.org/toc/nejm/334/20; accessed September 18, 2014.
26Torok, Thomas, et al. A Large Community Outbreak of Salmonellosis Caused by Intentional Contaimination of Restaurant Salad Bars. Centers for Disease Control and Prevention. Available at: http://www.cdc.gov/phlp/docs/forensic_epidemiology/Additional%20Materials/Articles/Torok%20et%20al.pdf; accessed October 17, 2014.
Fortunately there were no fatalities linked to this incident. Although the outbreak was detected by local public health officials, it took the FBI about 1 year to link the outbreak to the cult headed by Bhagwan Shree Rajneesh. The investigation was complicated by the fact that it was difficult to actually determine whether the contamination was intentionally introduced, because the same microbe causes many unintentional contaminations.
While the Oregon incident is the only confirmed case of intentionally introduced contamination in the United States, the threat remains real, as indicated by the 1989 threat of contaminated grapes entering the United States from Chile.27 A terrorist group phoned the U.S. Embassy in Santiago, Chile, claiming to have contaminated Chilean grapes with cyanide. Supermarkets pulled Chilean fruit off the shelves throughout the United States, and consumers received a warning not to eat any fruit imported from Chile. Most of the peaches, blueberries, blackberries, melons, green apples, pears, and plums on the U.S. market at the time were imported from Chile. The incident devastated an entire season of fruit sales from Chile at a cost of $200 million in lost revenue.
This case demonstrates the threat from economically motivated adulteration (EMA). EMA is defined as fraudulent, intentional substitution in or addition of a substance to a product for the purpose of increasing the apparent value of the product or reducing the cost of its production for economic gain. There are several factors that contribute to EMA, including the following:
- In an expanding global marketplace, more food is moving across international borders than ever before.
- Companies may have less control over processes due to the global supply chain.
- Each year of the past 7 years, food imports have grown by an average of 10 percent.
- Tighter economic conditions lead to price increases that in turn drive fraudulent activity.
- Global food shortages create rising demand for food creating imbalances in the marketplace.
Yadav then provided specific examples of EMA events. In 1995, unapproved pesticides were used that entered the food supply via cereal, causing $140 million in loss of sales.28 In 2004, there was an incident in which unapproved dyes were used in Indian spices, which resulted in a recall and the loss of
27Shenon, P. “Chilean Fruit Pulled from Shelves as U.S. Widens Inquiry on Poison.” New York Times. March 15, 1989. Available at: http://www.nytimes.com/1989/03/15/us/chilean-fruit-pulled-from-shelves-as-us-widens-inquiry-on-poison.html; accessed September 21, 2014.
28Villani, Joe. “Pesticide Testing: What’s the Best Way?” Food Product Design. February 1, 1995. Available at: http://www.foodproductdesign.com/articles/1995/02/pesticide-testing--whats-the-best-way.aspx; accessed September 20, 2014.
$300 to $500 million in sales.29 In 2008, a Chinese milk producer, Sanlu, sold milk contaminated with melamine, affecting 290,000 people and killing 6 people (mostly children).30 Due to its high nitrogen content, milk producers added melamine to powered infant formula in order to falsely increase the protein content of the food. The Sanlu plant consequently went bankrupt and the milk industry lost $5 billion in sales.31 A similar incident occurred in 2009 with peanuts sold by the Peanut Corporation of America. In that case, a Salmonella contamination was intentionally concealed by management and the market for the affected product dropped by 25 percent, resulting in a $1 billion impact.32 In 2012, fraudsters purchased bottles for a premium line of ketchup, and filled them with basic, cheaper ketchup.33 Without adequate food safety measures, the bottles fermented and exploded. The operation was then abandoned and neighboring companies reported foul smells and vermin in the area.
Yadav noted that the food supply is vulnerable to cyberattacks as well. Some food companies rely on computer systems to control food manufacturing processes. Given the heightening focus on cybersecurity, all sectors should be adequately protected. Companies in the food chain are vulnerable, and Symantec, a cybersecurity company, estimates that more than 80 percent of small businesses do not have a formal cybersecurity plan, and a typical cyberattack on a small business could cost $200,000, subsequently threatening the solvency of the company.34 To address these cyber-threats, companies should use password-protected facility computers, install firewalls on computer networks and use up-to-date computer virus protections and detection systems, train personnel with access to critical cyber assets to recognize and report indicators of insider
29See, for example, Ehling, S. “Consumer Product Fraud: Deterrence and Detection.” Presented at the Ozark Food Processors Association Annual Convention, April 6, 2011. Available at: http://ofpa.uark.edu/pdf_files/2011%20talks/Ehling%20Product%20Fraud.pdf, p. 6; accessed September 26, 2014.
30Yardley, Jim. “Chinese Baby Formula Scandal Widens as 2nd Death is Announced.” New York Times, September 15, 2008. Availability at: http://www.nytimes.com/2008/09/16/world/asia/16milk.html?_r=0; accessed October 20, 2014.
31Grocery Manufacturers Association and A. T. Kearney. Consumer Product Fraud: Deterrence and Detection, 2010, p. 6. Available at: http://www.gmaonline.org/downloads/research-and-reports/consumerproductfraud.pdf; accessed September 26, 2014.
32Tavernise, Sabrina. “Charges Filed in Peanut Salmonella Case.” New York Times, February 21, 2013. Available at: http://www.nytimes.com/2013/02/22/business/us-charges-former-owner-and-employees-in-peanut-salmonella-case.html?adxnnl=1&adxnnlx=1413813790-kAVmhbQe821N3N+ptvx12Q; accessed October 20, 2014.
33Tepper. R. “Counterfeit Heinz Ketchup Operation Discovered in New Jersey.” Huffington Post, October 18, 2012. Available at: http://www.huffingtonpost.com/2012/10/18/counterfeit-heinz-ketchup_n_1981324.html; accessed September 22, 2014.
34Brooks, C. “Small Businesses Don’t Take Cybersecurity Seriously.” Business News Daily, October 26, 2011. Available at: http://www.businessnewsdaily.com/1603-cybersecurity-small-business.html; accessed September 22, 2014.
threats, limit physical access to computer systems to authorized personnel, and have policies and procedures for handling an insider threat incident.
To combat these threats to the food supply, the United States uses a comprehensive strategy to address various aspects of food defense. These strategies are codified in laws and directives, and contain the following elements:
- Outreach: The approach to outreach and training for industry and consumers is to provide information and tools to assist them in addressing food defense. This includes guidance materials on food defense plans and exercise kits. Training is also provided for agency employees, relevant partner agency personnel, and foreign counterparts.
- Vulnerability Assessments: VAs are performed for various commodity systems, which help identify products of higher concern, points in the process that are more vulnerable to intentional contamination, likely agents that could be used, mitigation strategies for government and industry, research needs, and a means of better allocating limited human and financial resources.
- Mitigation Strategies: The FDA works closely with the food industry, partner agencies, and foreign counterparts on developing and implementing mitigation strategies.
- Surveillance Activities: Surveillance activities are performed in various ways, such as by sampling some food products for certain threat agents, consumer reporting systems, and suspicious activity reporting.
- Research: Research is conducted on food defense needs, such as developing detection methods and survivability studies of threat agents in food processing.
- Food Defense Exercises: Food defense exercises are performed to test response plans and include industry and government stakeholders. These exercises contribute to the development of guidelines for industry on food disposal and facility decontamination. It is important to understand that food may be considered hazardous waste depending on the contaminant, and therefore special disposal methods may be necessary. Typical sanitation cleansers may not be sufficient to ensure that the facility is free of residue before resuming food production.
- Media Involvement: Good relationships with the media are critical to ensure informed reporting that can aid quick recovery from an incident. It is important to understand that heightened interest by the public and media requires special consideration when developing risk communication messages.
In conclusion, Yadav summarized his remarks by stating that there is a broad spectrum of nontraditional threats to the food supply chain, and it is possible to cause significant public health and economic impact from intentional contamination. Therefore, experts must focus on the entire food supply chain, “farm to fork.” To do so effectively requires the development of a comprehen-
sive strategy and collaboration with all stakeholders. The food supply is global, and experts must work together to reduce and minimize the risk and impact of an incident of intentional contamination.
Securing Plants, Animals, and Crops in India
Abraham Verghese specifically addressed the threat to agricultural crops from invasive species entering India mostly in an unplanned manner. Compared with other threats, the perceived threat from invasive species is low, and methods of preventing the arrival of these species are weak. However, once an invasive species is identified, India’s capacity to address the invasion is good.
Verghese then described several threats that Indian agriculture faces due to invasive species. The first was the western flower thrips (Frankliniella occidentalis [Pergande]). This insect is native to North America and punctures the leaves, flowers, or stems with its mouth and sucks the sap of the plants. The Phenacoccus manihoti, a bug that affects Africa and Thailand, caused crop losses of up to 82 percent in the 1980s and in 2008.35 The Brontispa beetle can potentially enter India from all sides and affect coconut trees by damaging their crowns and eventually killing the entire tree. In 2006 and 2007, the beetle caused considerable damage in Myanmar.36
The Ophelimus maskelli (bug) is threatening to become an invasive species from Europe, and the Aleurodicus dugesii (giant whitefly) is a potential invasive threat to India from Mexico.37 The glassy-winged sharpshooter leaf-hopper (Homalodisca vitripennis) is native to the south eastern United States and is a vector for bacterium (Xylella fastidiosa), which causes devastating plant diseases, such as Pierce’s disease and scorches.38 The Mediterranean fruit fly (Ceratitis capitata) can be found in most tropical and subtropical areas of the world and is the world’s most destructive pest. Unlike most fruit flies, it can tolerate cooler climates and live on a wide range of host plants, such as apricots, nectarines, peaches, mandarins, and to a lesser extent apples and pears. Wheat stem rust (Ug99 race) is a continuing problem in India, and globally 80 percent
35Lyons, Elizabeth E. and Scott E. Miller. “Invasive Species Eastern Africa: Proceedings of a Workshop held at ICIPE, July 5-6, 1999.” African Insect Science for Food and Health (ICIPE) Science Press. Available at: https://www.cbd.int/doc/meetings/cop/cop05-inf-33-en-pdf; accessed October 20, 2014.
37Drake, James A., ed. “Handbook of Alien Species in Europe, Invading Nature – Springer Series in Invasion Ecology.” Vol. 3, 2009. Available at: http://www.springer.com/life+sciences/ecology/book/978-1-4020-8279-5; accessed on October 20, 2014.
38Mizell, Russell F., et al. “Xylella Fastidiosa Diseases and Their Leafhopper Vector.” University of Florida. Available at: http://edis.ifas.ufl.edu/pdffiles/IN/IN17400.pdf; accessed October 20, 2014.
of wheat varieties are susceptible.39 Based on prevailing winds and areas of wheat production, the most likely route for the continuing advance of wheat rust is via the Arabian Peninsula.
Verghese provided examples of how other plants and insects have been introduced as a means of countering invasive species. The water fern (Salvinia molesta) is a native of south eastern Brazil, and to counter this species, Cyrtobagous salviniae was introduced from Australia in 1982; large-scale mechanical removal of the fern was avoided, and the waterways were restored for transport and irrigation.40 The water hyacinth, Eichhornia crassipes, is also a native of Brazil and was introduced as an ornamental plant in the Calcutta botanical gardens in 1895.41 In 1982 and 1983, Neochetina bruchi, N. eichhornia, and Orthogalumna terebrantis were introduced from Argentina.42 Similarly, Alternaria was found to be particularly effective in combination with arthropods to combat weevils and mites, which are well established in India and which spread rapidly.43
Verghese said that 40 percent of insect invasions occur in the country through plant materials, 25 percent are from timber imports and 35 percent are accidental.44 Many of the ports of entry into India are porous with respect to plant products. These species could come across the border or be brought via seafaring trade, causing significant impact to agriculture and biodiversity, food supplies, commerce, and the economy.
Verghese closed by noting existing initiatives developed to address the global problem of invasive species, and steps that India plans to take to limit the
39Consultative Group on International Agricultural Research. “Virulent a New Strains of Ug99 Stem Rust, A Deadly Wheat Pathogen.” May 28, 2010. ScienceDaily. Available at: http://www.sciencedaily.com/releases/2010/05/100526134146.htm; accessed on October 20, 2014.
40Wittenberg, Rudiger and Matthew J.W. Cook, eds. “Invasive Alien Species: A Toolkit of Best Prevention and Management Practices.” Invasive Species Specialist Group Website. Available at: http://www.issg.org/pdf/publications/GISP/Guidelines_Toolkits_BestPractice/Wittenberg&Cock_2001_EN.pdf; accessed October 20, 2014.
41Hastings, R.B. “The Relationships Between the Indian Botanic Garden, Howrah and the Royal Botanic Gardens, Kew in Economic Botany.” Royal Botanic Gardens Website. Available at: http://www.kew.org/collections/ecbot/pages/wp-content/media/papers/hastings1986howrah.pdf; accessed October 20, 2014.
43Walia, Suresh and G.S. Dhaliwal. “Essential Oils as Green Pesticides: Potential and Constraints.” Biopesticides International. 4(1): 63-64. (2008). Available at: http://www.sierranaturalscience.com/THYME_CLOVEOIL.pdf; accessed October 20, 2014.
44Sallam, Mohammad N. “Insect Damage: Damage on Post-Harvest.” Food and Agriculture Organization of the United Nations. Available at: http://www.fao.org/fileadmin/user_upload/inpho/docs/Post_Harvest_Compendium_-_Pests-Insects.pdf; accessed October 20, 2014.
damage caused by invasive species.45 The Rio Convention on Biological Diversity of 1992 was an effort to raise awareness of the real threat posed by these species and to call for greater action to limit their transfer. The United Nations and other international organizations also formed the Global Invasive Species Program to answer this call with a series of programs designed to deal with particular sorts of introduced species. The International Union for Conservation of Nature (IUCN) has identified the problem of alien invasive species as one of its major global initiatives and recently finalized the IUCN Guidelines for the Prevention of Biodiversity Loss Caused by Alien Invasive Species.46 India plans to tackle the domestic problem of invasive species by developing a process of strict quarantines like those in the United States and Australia. Given its importance, they plan to raise the level of awareness about invasive species among the general public.
The discussion began with a question about what happens to species that are intentionally introduced into India to try to counter invasive species. Verghese replied that these species remain in the ecosystem; therefore, it is important to be careful about what is introduced, where, and why. The goal is to identify a species that only targets the intended species and does not adversely affect any of the other native species.
Raymond Jeanloz asked a question in this session that applies to all sessions. When is the situation good enough? In other words, at what point does one decide that additional investments in security are not worth the additional marginal benefits? There must be some analysis in the food industry of the point at which companies will not spend more money on making the food supply safer. From a technical point of view, it is important to ask the question about what is good enough. How should we assess the tradeoffs in terms of how good the security and safety have to be for us to agree that it is good enough? Yadav replied that in the food supply in the United States, all industries are governed by a regulatory body that enforces regulation and the expected outcomes of the food industry. Compliance with these regulations is easy for large, multinational corporations, but it is difficult for small companies, such as those in India because the necessary equipment is expensive. Therefore, he noted that the guiding principle is a common-sense approach.
Verghese added that tradeoffs exist unwittingly because at the points of entry into India, greater attention is paid to the import of non-biological products
45Botanic Gardens Conservation International. “Agenda 21: Programme of Action for Sustainable Development Volume 3, Number 2.” June, 1999. Available at: http://www.bgci.org/worldwide/article/0011/; accessed October 20, 2014.
46McNeely, Jeffrey A., et al. “Global Strategies on Invasive Alien Species.” U.S. Fish and Wildlife Service. Available at: http://www.fws.gov/invasives/volunteerstrainingmodule/pdf/bigpicture/globalstrategy.pdf; accessed October 20, 2014.
such as gold and silver, and to electronic goods than to foods and plants. India is trying to create a better balance so that financial investments in security will be better focused on potential threats. It is important to develop more economic analysis to guide decisions about investments in security. Jeanloz added that at this point, profit has greater weight than security considerations, although there are cultural issues as well. For example, what would India be like without coconuts? Therefore, he wanted to start the discussion about the potential qualitative consequences of terrorism in addition to financial consequences. Verghese agreed with Jeanloz’s point because, as he recounted, when the invasive species affected the coconuts, the local government was toppled. Yadav also noted that the tradeoff is similar to that made regarding insurance: “How much insurance is sufficient?” Investment in food defense is like an investment in insurance. Another workshop participant noted that this discussion is an important outcome of the workshop.
A workshop participant asked how one would determine whether an incident was caused intentionally or unintentionally. Yadav replied that the answer to this question deals with the distinctions between food safety and food defense. There are only two factors that differentiate these issues. The first is whether or not the contaminant is naturally occurring in the food supply, such as Salmonella. If it is, this is considered food safety. Food defense deals with intentionally introduced substances that are not part of the food supply chain, such as anthrax. The participant followed up with a question as to whether or not there were examples of an intentional outbreak caused by a naturally occurring substance. Yadav noted that in 1984, a cult in the United States introduced Salmonella into salad bars and during the investigation, the chain of custody was traced to determine how the Salmonella was introduced.
Augustine raised the issue of insider threats. The food defense plan showed by Yadav did not specifically site the insider as a potential threat. He asked what is being done today to address the insider threat. Yadav replied that this was discussed during his training in the United States, and he learned that employees in food industries undergo background checks. In the food defense plan, there are mechanisms for supervisors and managers to report employees who may exhibit unusual behavior, if there is such an employee, he or she will remain under surveillance until there is a change in behavior or in the situation.
David Franz asked how good the United States is at tracking food back through the food supply chain and how important this ability is for food safety and food defense. Yadav answered that most U.S. industries are regulated by USDA, and they are about 90 to 95 percent compliant. These industries also have surveillance systems to determine what happened in the event of an incident, but it is not foolproof. Franz followed up by asking if there is one comprehensive database with all food items available in U.S. supermarkets. For example, if a customer buys a tomato from China, can he or she go back to find the place of origin of the tomato? Yadav replied that the chain of custody is maintained at every point on the supply chain, but it is not easy to trace. Verghese added that there are national standards established by each country that regulate
international imports and exports of food stuffs and whether or not the imports and exports comply with the regulations.
Van Romero noted that public perceptions are also important. The government can say whatever it wants, but if a consumer does not want to buy something, he or she will not. This was true after the Fukushima nuclear disaster, for example. Some people in the United States would not believe that the food was safe, even though many tests had determined it to be radiation free. Yadav agreed that countries need to explore their trade offs in regard to investment in public outreach.
Guenther asked about the distinction between intentionally introduced and unintentionally introduced contaminations of elements common into the food chain. A terrorist may intentionally introduce a naturally occurring contaminant into the food supply chain to avoid detection or suspicion. Likewise, terrorists may not always be looking for maximum casualties. The whole point may be to keep people sick for a long time, meaning that an intentionally introduced contaminant that is part of the normal food chain may go undetected for a long time.
Yadav replied that if regularly occurring contaminates are introduced into the food chain at a high level, they will not go undetected. The first point of detection would be at the processing stage, because industry regularly checks for contaminants that are normally part of the food chain. In the case of salad bars, analyses of pathogens that are part of the food chain are taken regularly. However, as with anything else, there are outliers, and these incidents should be detected at public health institutions and an investigation would be launched. These incident reports would signal that something is amiss. Unfortunately, unless someone reports something to hospitals, these incidents could go undetected.
Finally, Guenther asked how Indian experts identify invasive species. Verghese noted, as an example, that the beetle populations in the northeast of India are monitored due to the border with Myanmar, where the beetles are rampant. They have developed a system whereby there is a central agricultural university in the region with affiliates down to the local level. Local communities are shown how to identify the beetles and why they are important to locate, and people then look out for them, and if there is any suspicion of an increase in the number of beetles, people are to alert the network and a response team is sent. They are considering introducing training to children, because this has been successful in Australia, where almost all school children know about invasive species; starting awareness with children is effective because young people like to catch bugs and are curious about the natural world.
Enhancing the Security of India’s Critical Infrastructure: Aviation Security
B. K. Maurya began his presentation by noting that since 9/11 and the December 1999 Kandahar hijacking incident, aviation security has undergone a radical shift in India. Aviation is a global industry, and as aviation security con-
cerns have grown globally, mutual cooperation has grown among countries. India has enacted stringent measures to ensure that international regulations are followed with respect to cargo and passenger security. At the same time, air travel has increased dramatically in India to previously unimagined levels: nearly 160 million passengers flew through Indian airports in 2012. To enhance professionalism in security operations in India’s civil aviation sector, 51 airports in the country have been placed under the Central Industrial Security Force (CISF).
Security, Maurya noted, always comes with trade-offs among cost, privacy, and facilitation (ease of passage). Due to the increasing costs of aviation fuel, the profit margin on commercial flights is low, Maurya said, and this creates pressures on the costs of security, as they compete against profits. To detect and identify threats, baggage and passengers are screened, which takes time. Expectations vs. realities must be balanced with respect to risk.
The main threat focus in the aviation sector is on improvised explosive devices (IEDs) and prohibited items (weapons and hazards), but given the complexity of the aviation enterprise, cybersecurity, insider threats, vehicle bombs, and other threats also demand attention. Innovative technology may help address the challenges faced in air security. Maurya highlighted technologies currently used in aviation security in India, including surveillance equipment, perimeter security equipment, biometric access systems, X-ray screening systems for cargo, explosive trace-detector systems for explosives in cargo and baggage, and canine explosive-detecting teams. Security managers are considering ideas such as blast-resistant cargo containers (or wrapping cargo containers in bomb blankets), more formal Perimeter Intrusion Detection and Assessment System systems, more sophisticated x-ray scanners, such as computed tomography scanners, neutron-based screening technology, detectors for liquid explosives, and IED disruptors.
Maurya affirmed that India also takes the human side of aviation security, and particularly insider threats, very seriously, and said several steps have been taken to address this potential problem.
Recent Experience with Averted Power Failure in Silicon Valley
Michael O’Brien began by noting that, historically, critical energy infrastructure in the United States has operated in a low-threat environment. However, the perception of the threat environment has changed as cyberattacks have steadily increased in recent years, and two incidents in 2013, one in the state of California and one in the state of Arkansas, demonstrated how significant damage could result from orchestrated physical attacks. As a result, DHS, the Department of Energy, and the FBI are working closely with U.S. industry to communicate current threats and discuss enhanced protection measures to mitigate attacks from a higher threat.
Protecting energy supplies worldwide is extremely important. U.S. reliance on electricity is pervasive; very few activities and operations work without
electrical power. The threat to critical infrastructure is a global problem, and lessons learned through critical infrastructure protection work can be applied globally.
On April 16, 2013, a group sabotaged an electrical transmission facility in California’s Silicon Valley. The attackers caused significant damage (estimated at $20 million), but a blackout was averted. Four months later, in three sabotage attacks, power lines and power poles were cut down and a control center was burned in Arkansas.
O’Brien stated that although technology solutions are important to protect critical infrastructure, they are not the only answer. Sometimes the solution is better on-site situational awareness (more guards or monitors) and better coordination between guards and local law enforcement authorities. Wherever technology is used, it has to be selected and integrated with the facility and the organization using the technology, and it has to be maintained. Classifying threats as low, medium, and high, he said that the costs to protect against threats will increase exponentially as they move from low to high. Critical infrastructure generally has industrial-level security, which is inadequate against a higher threat.
O’Brien’s group at Lawrence Livermore National Laboratory conducts vulnerability assessments and helps to develop security plans for key facilities. He and his colleagues evaluated the 2013 attacks and made recommendations. His group also advocates a systematic approach to both evaluate security at the facility and to develop a graded protection strategy made up of layers of security measures.
O’Brien said that the first step is to define the design-basis threat and to develop a list of adversary characteristics. A clear understanding of current threats and the mitigation of risks in a critical industrial environment is essential. Next, his team characterizes the facility and identifies targets. Based on these definitions and characterizations, they develop attack scenarios and validate them to ensure that the scenarios represent the key security needs. O’Brien and his colleagues then identify measures to mitigate the vulnerabilities and then validate those measures, modeling attacks with the mitigation measures in place. Finally, they analyze the costs and benefits of the measures to support decisions about whether to deploy the mitigation measures.
At any facility, one also needs to have an effective insider protection program to promote security culture. Identification of critical facilities and understanding cascading effects of attacks, he said, are key to defining consequences, as is deployment of protection strategies that integrate human and technology elements to mitigate risk.
A Practical Approach to Infrastructure Protection: Lessons from the Field
John Holmes provided a practical, experience-based approach to infrastructure protection; in essence, he distilled lessons learned from several years as
director of operations and security at the Port of Los Angeles, where approximately $200 million have been spent on security upgrades since 2001. The combined Los Angeles-Long Beach Port Complex is the world’s fifth largest port, with 25,000 employees who handle 43 percent of U.S. container imports using the port’s ships, channels, waterways, bridges, roads, rail facilities, power stations, and other facilities. Major ports are not only critical infrastructure themselves, they are cities with critical infrastructure of their own.
Holmes said that development and implementation of security systems for critical infrastructure is sometimes described in four steps: define the requirements, design the protection system, evaluate the system once installed, and repeat as needed. But it is never that simple for complex facilities. Security is a system of systems in which all the pieces must fit together to be effective, but business operational processes conspire to thwart system development. Vulnerabilities are created when some of the pieces do not fit together or into the larger system. Regardless of the technical aspects of security, the implementation, integration, maintenance, and management of systems present the largest challenges.
Holmes noted that an important feature of an effective security organization is the ability to learn from mistakes, adapt, and improve. He listed 10 lessons he learned while securing the Port of Los Angeles, saying that he hoped no one would have to repeat the mistakes that taught him these important lessons. The 10 lessons are:
- Identify your problems. Conducting a security assessment enables the security manager to focus on the most important problems and to justify use of funds to address those problems. Assessment is not a one-time event; it should be conducted continuously to ensure that it is current and that it responds to changes in the global and local threat and physical environment. Cybersecurity was not even considered early on, but now it is the most pervasive, single biggest concern.
- Be certain of the problem you are trying to solve. Holmes advised to analyze the specific problem because it may differ in practical reality from a general characterization of the issue.
- Examine what others are doing. In many cases, someone else has already confronted similar problems. Holmes recommended that security managers reach out to others in the same industry to find solutions and shamelessly steal good ideas.
- Use the correct tool for the job. Sometimes the best solution is not technical. Changes to processes and procedures sometimes solve a problem without any procurement of equipment. Technology is best used to increase the effectiveness of the humans operating the system rather than as a solution in itself, a so-called silver bullet.
FIGURE 3-3 Maritime Domain Awareness is as much about processes and procedures as it is about technology; it is a merger of high-tech with low-tech; it is the ultimate exercise in information fusion; when successful, it is a powerful tool to prevent and/or deter incidents; it pays dividends in other areas. SOURCE: National Oceanic and Atompheric Administration. Available at: http://www.ioos.noaa.gov/global/geo_global_hfr_mar2012.pdf; accessed October 9, 2014.
- When you think that you have the right solution, check it again. An independent analysis of the solution brings a fresh perspective that can find flaws in reasoning or fact that can save millions of dollars.
- Conduct a thorough cost analysis. If the cost analysis is incomplete or inaccurate, the security manager may commit the organization to unexpected costs, sometimes extending years into the future.
- Don’t overbuy or overcomplicate the project. Unnecessary complexity in a security system is usually a liability rather than an asset. Solutions that are easier to instill, maintain, and repair are generally more sustainable.
- Strive for compatibility. One cannot just redesign the overall system. Work with the existing system, and at times, practical considerations irrelevant to security can override an ideal solution. A sophisticated component or system that does not integrate well with the larger system generally does not deliver the capability that justified the sophistication. Also, implementing security systems takes time, and in many cases the technology will need to be updated even before completion of the implementation, so standardization and compatibility are important.
- Coordination and cooperation are critical. Even a huge port is only part of a larger system. Having a high-level plan and a mechanism to coordinate implementation of that plan minimizes unnecessary arguments and unproductive conflicting efforts within and across organizations.
- Focus on prevention. Prevention of an incident is the most important effort. Learning from an event and focusing on how to prevent the next one is a better use of time and effort than figuring out how to improve response.
In parting thoughts, Holmes noted that the perfect can sometimes be the enemy of the good: a basic system that works is better than an ambitious security system that does not operate. This is also true of Maritime Domain Awareness (MDA) as described in Figure 3-3. He said that training is important because those who operate the systems on a daily basis are key to the effective operation of the overall system. They should understand how their jobs affect overall security. Finally, he reiterated that honest assessments of failures are critical to improving security.
This page intentionally left blank.