Pollution prevention (P2) and security have some parallel and simultaneous objectives. One common objective for both is to minimize the severity of potential environmental and health impacts of an accident or destructive event. The P2 community can proactively work with companies, consultants, and agencies--especially those working on security and emergency issues--to help accomplish this objective.

In order to achieve benefits by integrating these two tracks, a basic understanding of common tools and policy on both topics is important.

Security Resources and Methods that Coincide with P2

Some practices currently used in security improvements for facilities that coincide with P2 efforts include:

• Prioritization protocols, (for example, the American Chemistry Council (ACC) offers an initial assessment to determine a risk rating or index of a chemical facility based on three risk criteria: (1) relative difficulty of attack, (2) relative severity of attack and (3) attractiveness of the target);
• Initial and periodic analysis of potential security threats, vulnerabilities and consequences using accepted security analysis methodologies (such as security gap analysis, threat assessments, vulnerability assessments and criticality assessments);
• Periodic re-evaluation of security status;
• Published standards, guidelines and industry codes on security measures and implementation;
• Internal policy and procedures;
• Compliance to regulations related to hazard assessment and communication, emergency response and safety;
• Employee, buyer, supplier and contractor training and communication;
• Staged exercises and drills to determine readiness and likely outcomes; and
• Employee suggestion programs (e.g., to eliminate the use of specific hazardous chemicals and other risk reduction suggestions).

Security analysis protocols and security guidelines differ somewhat by industry. One of the most commonly used security analysis tools is a vulnerability assessment or security gap analysis, which is a process similar to the conventional process assessment and/or material hazards assessment used in the P2 field.

The security vulnerability assessment determines what specific resources at a site need protection, what threats may be directed at those resources and what steps to take to protect those resources. A generic example of a basic self-assessment tool for vulnerability, published by the North Carolina Department of Agriculture and Consumer Services is at http://www.ncagr.com/Industry_self-assessment.pdf.

Other security analysis tools include threat and criticality assessments. The threat assessment identifies and evaluates threats based on certain factors, including capability and intentions, as well as the potential lethality of an attack. The criticality assessment identifies and prioritizes assets and structures that require more protection from an attack. For more specific descriptions of these assessments, consult the statement to the federal government by Raymond Decker, Director Defense Capabilities and Management, October 2001, titled ?Key Elements of a Risk Management Approach? (Document Number GAO-02-150T).

For high-target risk industries--chemical, water utilities and electricity/energy infrastructure--specialized security analysis methods and/or guidelines have been developed and are listed below.

Chemical Industry

Several entities have published vulnerability assessment methods and guidance specific to the chemical industry and in some cases applicable to companies up and down the supply chain.

• ?Security Vulnerability Assessment Methodology for Chemical Facilities? (VAM-CF SM), by Sandia National Laboratory;
• ?Chemical Site Security Vulnerability Analysis Methodology and Model?, by the American Chemistry Council (ACC) in conjunction with the Synthetic Organic Chemical Manufacturers Association (SOCMA). (SOCMA now requires companies to meet the specific security standards in the ResponsibleCareTM Security Codes as a condition of membership);
• "Guidelines for Analyzing and Managing the Security Vulnerabilities at Fixed Chemical Sites?, by the American Institute of Chemical Engineers (AIChE) and the Center for Chemical Process Safety; and
• ?A Method to Assess the Vulnerability of U.S. Chemical Faciltiies?, by the (former) Department of Justice, November 2002.

Some in this industry question whether these tools will result in duplicative or additive requirements, since related new legislation was introduced to the 108th Congress in Spring of 2003.

Electricity/Energy Sector

The U.S. Office of Energy Assurance has published a number of vulnerability assessments guidance documents for the energy and electricity infrastructure, some of which include:

• ?Vulnerability Assessment Methodology, Electric Power Infrastructure?, Draft, September 2002
• Energy Infrastructure Risk Management Checklists for Small and Medium Sized Energy Facilities, August 2002
• Vulnerability Assessment and Survey Program - Lessons Learned and Best Practices, September 28, 2002
• Energy Infrastructure Vulnerability Survey Checklists, February 22, 2002

The American Petroleum Institute has published Security Guidance for the Petroleum Industry, March 2002. Since the petroleum refining industry has many of the same issues as the chemical industry, some of the guidance for the chemical industry is applicable.

Drinking Water / Infrastructure

The U.S. EPA, the American Water Works Association (AWWA) and the Association of Metropolitan Water Agencies (AMWA) have worked together to establish a comprehensive security system for water utilities, and to help fulfill the regulatory provisions of the Public Health Security and Bioterrorism Preparedness and Response Act. The program entails:

• training on vulnerability assessments;
• security protocols to safeguard vulnerability assessment findings after they are sent to EPA;
• guidance and technical assistance in revising emergency response plans;
• information on best practices and lessons learned; and,
• operation of the Water Information Sharing and Analysis Center (WISAC). WISAC provides a secure portal for the communication of sensitive security information among utilities, law enforcement and intelligence agencies.

Applicable Federal Policy Related to Security (Current as of July 2003)

The Homeland Security Act of 2002, received final congressional approval on November 22, 2002 and established the Department of Homeland Security. The functions of the Office are to coordinate the executive branch's efforts to detect, prepare for, prevent, protect against, respond to and recover from terrorist attacks within the United States.

The Public Health Security and Bioterrorism Preparedness and Response Act requires most community water systems to conduct a vulnerability assessment and prepare or revise an emergency response plan which incorporates the results of the vulnerability assessment. The system then must certify completion of the assessment and plan to the US EPA administrator.

The USEPA Strategic Plan for Homeland Security, issued September 2002, includes sections on critical infrastructure protection; preparedness, response and recovery; communication and information; and protection of EPA personnel and infrastructure.

Transportation Security Regulations, issued and administered by the Transportation Security Administration, cover air, land and maritime travel and transport.

Chemical Safety information, Site Security and Fuels Regulatory Relief Act - Risk Management Program Rule, under Section 112(r) of the Clean Air Act Amendments of 1990, requires facilities that use certain flammable and toxic substances, to implement a risk management program and submit a risk management plan (RMP) to the US EPA. http://yosemite.epa.gov/oswer/ceppoweb.nsf/content/RMPoverview.htm#WhatRMP

Emergency Planning and Community Right-to-Know Act (EPCRA), establishes requirements for governments, tribes, and industry, that deal with hazardous and toxic chemicals, for emergency planning, release potential assessment, and communication and reporting.

Occupational Safety and Health Administration (OSHA) Hazard Communication Standards (29 CFR 1910.1200), requires employers to develop a written Hazard Communication Program for their employees and contractors involved in hazardous waste operations. The program must identify, evaluate and control safety and health hazards, and provide for emergency response for hazardous waste operations.

Pollution Prevention Approaches

Findings and solutions from P2 and risk-reduction approaches will supplement security assessments and resulting action plans, as well as security compliance. Pollution prevention tools that should be considered in security analysis, guidance, and action plans, include various aspects of product stewardship, design for the environment (DfE), life cycle management, environmental procurement, sustainable development and environmental management systems. These umbrella P2 techniques offer a host of more specific opportunities, and are detailed in the "P2 Opportunities" section of this Topic Hub.

Applicable Federal Policy on Pollution Prevention

Because laws and initiatives and policy on P2 cover such a wide range of issues that can potentially supplement or work in tandem with security efforts, it is not possible to list them here. For a primer on the integration of pollution prevention in regulations and policy, please visit the P2Rx Topic Hub on Regulatory Integration, at http://glrppr.org/hubs/?page=toc&hub_id=30&subsec_id=7.