Storage terminal security has evolved and emerged as more significant over the years. Regulation is an important piece of that, but it's only one piece. Security can be a very complicated process.
In “Effective Measures for Meeting Terminal Security Objectives,” Steve Roberts of the Roberts Law Group and a panel of four storage terminal executives broke it down during the 32nd Annual International Operating Conference & Trade Show held by the International Liquid Terminals Association May 21-23 in Houston, Texas.
Roberts first went through seven elements:
- Regulatory compliance: A host of security compliance obligations affect terminals, including CFATS; MTSA/TWIC; DOT HM-232; and pipeline.
- “CFATS (Chemical Facility Anti-Terrorism Standards) covers high-level security risks based on 18 factors,” Roberts said. “MTSA (Maritime Transportation Security Act) has been around for a decade. A lot is going on in terms of rulemaking. The TWIC (Transportation Worker Identification Credential) is required for certain secure areas of facilities. TWIC cards are good for five years. In 2013 and into 2014, a million-plus cards come up for renewal. What's that process going to look like?
- “Pipeline is not regulatory per se. Pipeline activity is voluntary. They can't enforce things against you, but can make things tougher.”
- Investigations: To determine why or how a security event occurred; identify offenders and collect evidence for prosecutions; and affect change in existing security programs.
- “How do we learn from that? Certainly with the price of gasoline ranging from $3.60 to 4.25, a tanker truck has a lot of value. A recent story documented pilfering a little bit at a time. Most of the time, it's an insider. It's not somebody coming over the fence line.”
- Emergency preparedness: To help prepare for natural disasters (especially along the Gulf Coast during hurricane season), accidents, and intentional acts.
- “This is certainly a part of the security discipline. We've seen that time and time again. It can mean lots of things. A good example is if a site has to shut down or is impacted by storm. Security is involved in that. How are we going to protect those assets? What are the resources internally in terms of emergency preparedness if something were to happen?”
- Emergency response: To help respond to natural disasters, accidents, and intentional acts.
- “How do we foster the kind of relationship we had when fire departments were the first respondents on the law enforcement side, the interdiction side? A big part of security is fostering relationships we've historically had with fire departments. Would officers who are on patrol right now know what gate to respond to if the police dispatcher simply said ‘ABC Terminal?’”
- Training and exercises: To ensure that if we “see something, we say something” as well as to help ensure appropriate emergency preparedness and response.
- “There's a lot of training going on increasingly on the security side. Sometimes it's driven by regulations. There's a training element to CFATS. There's a big training element to DOT (Department of Transportation). But also training is sort of the responsible operator thing we need to do in terms of the basic who-what-where when-why. If you see something, say something. That supposes you know what to look for.”
- Recognition of and response to workplace violence: To include employee on employee, employee on third party, and third party on third party.
- “It's a big issue. It does happen. I've had it happen with two truck drivers. Workplace violence is something we're seeing more and more of.”
- Recurring audits: To ensure that compliance and corporate requirements are met and deficiencies are corrected.
Four panelists presented their insights:
Terry Whitley, Shell
“Most have an assurance program to ensure folks are doing what they should from a regulatory standpoint. But what about security? Do you have programs in place that ensure compliance with both internal and external security requirements? Chances are that most of the owner-operators in our industry don't have that. I believe this is one piece of the HSSC world that we really missed the boat on in some instances. It is what I refer to as the ‘missing link.’
“There are two major aspects: internal and external investigations. If you have a security incident, it's imperative to find out what happened, so the investigative piece if important.
“Investigations sometimes support civil requirements, but it's really the criminal side we get involved in most. If you have that security management system in place, the investigations allow you to view the effectiveness of those management systems from the outside and install counter-measures. And that does have an impact on reducing your liability.
“There is a propensity to defer investigations to the human resources department. However, HR can't handle everything. They are not trained as criminal investigators. They typically lack the huge competency skill set they need to successfully handle criminal matters. It comes to our group and we handle it internally. We had additional interview skills. We know how to collect evidence, make prosecutions, and handle the legal side.”
Gus Borkland, Sunoco Logistics Partners
“What are your threats? Criminal? From someone inside or outside the company? Are they organized? What are you trying to protect?
“In this situation, talking about Sunoco Logistics, I'm talking about individual assets, not a pipeline system or cyber per se. When you understand that, design your measures. What are the risks? What are the consequences? When you look at your vulnerabilities, you're looking at the potential threats to that asset and the communities you work and live in.
“When we look at the people side, training is by far is one of most important things we feel we've done right. We have a lot of facilities that are a bit isolated, so we have to hit the training side hard. If you see something, say something.”
Jack McCrossin, CITGO Petroleum Corporation
“We have to accept that security is no longer a necessary evil. It has to be an integral part of your business, much like environmental safety.
“Addressing security in the same type of continuous improvement cycle, the management system, is a must. The plan/do/check/act continuous-improvement approach has to be used for security as it is for other elements of your business. You have to identify what security is upfront and make sure you have the senior management of the company involved to the nth degree. The folks in the corner offices have to be the first level of support. Otherwise the program will go nowhere.
“What does security mean? Is it just physical security? Is it just preventing theft, vandalism, or attack? Or does your security department encompass fraud, cyber, and workplace violence? You have to consider what you incorporate under the security umbrella.
“Auditing. It's a key function. If you're going to set objectives and measures, you have to have a plan in place to come back and evaluate progress. Once progress is evaluated, you have to have a follow-up step of corrective actions — not just what you want to improve, but whether that corrective action has been taken care of.
“Get engaged in local, state, and federal programs.”
Brian Temples, TransMontaigne Product Services
“It's knowing who's in your facility at all times, keeping gates closed at all times, in some places security guards.
“Investigations. You've got to know where (a threat exists), when, why, and how do you stop it?
“Auditing. If you're not auditing your facilities, it's hard to ensure compliance with regs.
“Training. ‘If you see something, say something’ is kind of what we're looking for.” ♦
