Risk-Based Performance Standards (RBPS) 15 - Reporting of Significant Security Incidents and RBPS 16 - Significant Security Incidents and Suspicious Activities complement each other and address the importance of developing protocols and procedures for promptly and adequately identifying, investigating, reporting, and maintaining records of all significant security incidents and suspicious activities in or near the site.
Covered chemical facilities should establish protocols governing the identifying and reporting of an incident to the appropriate facility personnel, as well as protocols determining whether the incident is “significant” and thus reported to local law enforcement, and/or DHS.
Security Measures for Incidents
The easiest way for a facility to prepare its employees to do their part is to clearly explain to them, and especially to its security staff, how to identify, respond to, and report the incident or activity. This can be achieved by security measures that include establishing protocols for:
- Reporting an incident to facility security and up through the security chain of command of the facility and the company that owns or operates the facility
- Determining whether or not a security incident is significant and warrants informing DHS and/or local law enforcement
The facility should have written procedures in its security plan (Site Security Plan [SSP] or Alternative Security Program [ASP]) or elsewhere, to ensure that qualified personnel conduct thorough investigations of significant security incidents and suspicious activities to determine the level of threat, any vulnerabilities that were exploited, and what security upgrades, if any, are warranted.
As part of a facility’s Security Awareness and Training Program (SATP), employees should be trained on these protocols, and lessons learned should be shared with appropriate facility personnel. (See page 90 of the CFATS RBPS Guidance.)
- An SATP is a predefined and documented set of training activities that focus on relevant security-related issues for the facility and enhance the overall security awareness of facility employees.
Significant Security Incidents (Physical and Cyber)
A broad number of events may be considered a security incident, ranging from trespassing, vandalism and petty theft, to cyber attacks, bomb threats, and armed attacks. Determining whether the incident is “significant” or not, and thus reportable to DHS and local law enforcement, is generally within the discretion of the facility. Significant security incidents likely will include events that arise based on intentional threats that attempt to, or successfully circumvent a security measure, for example:
- An intentional breach of the facility’s restricted area or perimeter
- An intentional act to forcefully or covertly bypass an access control point
- The theft or diversion, or suspected theft or diversion of a chemical of interest (COI)
- An on-site fire, explosion, release or other incident requiring the attention of local first responders
- Any incident with malicious intent to adversely affect critical cyber assets, including IT equipment
Suspicious activities could include a pattern of suspicious people or vehicles in or near the facility, photographing the facility, or other unusual activity indicating that an adversary may be probing or assessing the facility’s security capabilities. This could also include suspicious orders of COI from unknown customers, customers who request cash payments, or delivery to unknown locations or businesses.
Reporting an Incident
If a significant security incident is detected while in progress, the first call should go to local law enforcement and emergency responders via 911. Similarly, it is recommended that a facility report the incident immediately via 911 if the event has concluded but an immediate response is still necessary.
Once the incident has concluded and the facility has addressed any resulting emergency, a facility should use a non-emergency number to contact local first responders and DHS. Within DHS, report significant physical incidents to the National Infrastructure Coordinating Center (NICC) and report significant cybersecurity incidents to the U.S. Computer Emergency Readiness Team (US-CERT):