ChemLock: Chemical Security Considerations for No-Notice Events
A no-notice event is any incident that occurs unexpectedly or with minimal warning and may result in adverse security impacts where it could be difficult to warn individuals or communities prior to the event. These types of events could include, but are not limited to, civil unrest, active assailants, unauthorized drone activity, cyberattacks, accidents, fires, and earthquakes.
Although no-notice events are unpredictable, facilities with dangerous chemicals can take precautions to prepare for and mitigate the impacts from a variety of no-notice events so that dangerous chemicals that can be weaponized remain secure. The ChemLock program presents chemical security options that facilities with dangerous chemicals should consider in preparing for and responding to no-notice events.
Risk Mitigation
While no-notice events occur without warning, facilities can prepare for man-made and natural hazards that are more likely to occur in the vicinity of a facility, as well as be aware of circumstances that could lead to security failures, such as severe storms that could result in flooding or a public demonstration that could escalate to civil unrest. When circumstances align and could lead to a no-notice event (i.e., severe storms or public demonstration), owners and operators should consider adopting a heightened state of awareness.
Stay Informed of Current Events in Your Community
- Know when and where major public activities—such as planned protests, festivals, or other large gatherings—are taking place in the vicinity of the facility.
- If your community is prone to certain natural hazards, such as earthquakes, wildfires, or tornadoes, stay vigilant and ensure that personnel receive alerts for natural hazards so that security can be maintained.
Sign up for national security or incident alerts like those below. Also, contact your local authorities to inquire about local emergency alerts for community incidents and hazards in your area.
Develop, Implement, Exercise, and Update Security and Response Plans
- Identify the no-notice scenarios that are most likely to occur in and around the facility. With those scenarios in mind, identify facility and asset vulnerabilities, and develop security and response plans.
- Ensure your plans are up-to-date, train personnel on the plans, and periodically exercise the plans. Consider including local emergency managers, planners, and first responders in facility security and response plan exercises.
To help facilities develop a security plan or assess their current security plan, CISA developed a chemical security plan guidance document and template that facilities can download and customize for their facility. Using five security goals, the ChemLock security plan walks step-by-step through what to consider including in a holistic chemical security plan.
To help facilities test and assess their security and response plans, CISA has developed tabletop exercises that facilities can either run on their own or request CISA expertise in facilitating a live tailored tabletop exercise.
Learn more about ChemLock Exercises
Enhance Facility Security Posture
- Secure and ensure monitoring of facility assets.
- Consider increasing inventory checks of all critical items, such as keys, personnel badges, uniforms, delivery vehicles, and chemicals during and after events.
- Understand where events are occurring in proximity to the facility and consider minimizing or closing business operations when major events are occurring nearby.
- If involved in deliveries or shipping, identify alternate routes or delivery times and adjust accordingly.
- Ensure consistent communication to keep facility personnel and local responders updated.
- Ensure that any changes in operations due to events do not allow diversion or misuse of chemicals, equipment, or technical information.
- Remind facility personnel to follow incident reporting protocols for suspicious activity or security events in or near facility’s entry/exit points, loading docks, parking areas, restricted areas, or immediate vicinity according to the facility’s reporting protocols. Learn more about reporting suspicious activity and security incidents.
CISA has security experts across the country that can come to your facility to help you assess and enhance your current security posture.
Learn more about ChemLock On-Site Assessments and Assistance
Enhance Cybersecurity
As cyberattacks can occur at any time, vigilance regarding a facility’s cyber infrastructure is critical. Actions that facilities can take to mitigate no-notice events include:
- Conduct risk analysis for business and operational systems, including those involving chemicals. Identify and evaluate potential vulnerabilities and implement appropriate compensatory security controls.
- Restrict physical access to critical cyber assets and media to limited authorized users. Consider further restrictions when adopting a heightened sense of awareness as circumstances dictate.
- Back up all critical information. Store backups offline as well as offsite for additional layers of security against hackers. Test backups periodically.
- CISA provides additional guidance for facilities on mitigating cyber threats, including CISA cyber assessments.
Response and Recovery
Because the effects of no-notice events can vary, the response and recovery associated with each event will also vary. Listed below are general actions that all owners and operators can consider after a no-notice event.
Response
- Mitigate adverse impacts associated with an incident and ensure security measures for dangerous chemicals are being maintained.
- Maintain internal documentation of actual and near-miss incidents to incorporate into training and safety and security plans.
Recovery
- Assess what steps are necessary to safely and securely return to normal business operations and communicate that action plan clearly with facility personnel and the surrounding community.
- Once business continuity has been established, conduct an assessment of the incident and the facility’s response to that incident. Compare the facility’s planned responses with the actions taken in the heat of the moment. Identify vulnerabilities in the plan and areas for improvement.
Additional Chemical Security Considerations
ChemLock: Chemical Product Stewardship
Facilities that ship dangerous chemicals should consider implementing a product stewardship program, including a “know-your-customer” program, inventory management, in-transit tracking of chemicals, shipment confirmation, and receipt confirmation.
ChemLock: Chemical Security on a Budget
Everyone who interacts with dangerous chemicals has a role to play in taking action to prevent them from being weaponized by terrorists. Learn more about some simple, effective, and cost-efficient actions to enhance a facility’s security posture.
ChemLock: Conducting a Chemical Security Self-Assessment
Periodically reviewing and assessing the security measures in a facility’s security plan is a critical component in maintaining an effective security plan. Learn more about how to systematically review and assess a facility security plan.
ChemLock: Reporting Suspicious Activity and Security Incidents
Facilities with dangerous chemicals should establish a suspicious activity and security incident reporting process. Learn more about how to identify suspicious activities and develop a reporting process for suspicious activity and security incidents.
Cybersecurity Resources
Free Cybersecurity Services and Tools
In addition to offering a range of no-cost CISA-provided cybersecurity services, CISA has compiled a list of free services and tools provided by private and public sector organizations across the cyber community.
Cyber Guidance for Small Businesses
CISA offers a different kind of cybersecurity advice for small businesses and their employees. Learn more about how your small business can address cyber threats.
Cybersecurity Best Practices
CISA provides information on cybersecurity best practices to help individuals and organizations implement preventative measures and manage cyber risks.
Contact Information
For more information or questions, please email ChemLock@cisa.dhs.gov.
NOTE: Participation in any portion of CISA's ChemLock program does not replace any reporting or compliance requirements under CISA's Chemical Facility Anti-Terrorism Standards (CFATS) regulation (6 CFR part 27). Some ChemLock activities may fulfill CFATS requirements, depending on your specific security plan. Contact local CISA Chemical Security personnel or visit the CFATS webpage to learn more about CFATS regulatory requirements.