Hans Pasman

2 A
 merican legislation and regulatory measures:
a lesson for Europe?

2.1 I ntroduction to critical infrastructure protection and public

safety and security

People as part of a society share common infrastructures to enable their activities, to

prosper, and to maintain a satisfactory safety and security level. These infrastructures
have over time become rather diverse. Very basic in any society today and taken by
most people for granted are clean water supply and a sewer system. Further, electrical
energy, and energy in the form of energy carriers such as at present natural gas and
other fossil fuels, and in view of climate change, possibly in the future, hydrogen, are
most important. Apart from the many sources of electricity such as fossil fuel com-
bustion in power stations, nuclear and hydro power, and today the more sustainable
solar power and wind energy, there are the very costly connecting energy transporta-
tion grids to equalize demand. Other essential demands besides food are communica-
tion and transportation, implying a host of wired and wireless grids, and an extensive
road and rail system.
Most of the above is physical, but society is dependent on many organizational
and economical networks, and infrastructural channels such as finance and banking,
health, education, justice and police, and emergency response. There is also much
interconnectivity and interdependency among networks. This implies the risk of
propagation of breakdown from one network to another resulting in a crisis. As
natural disasters not only lead to fatalities and injuries, or destroy housing and roads,
and may cause large scale damage to such infrastructural networks as electricity and
water supply, a country’s economy may be severely damaged. Therefore, the UN and
other international bodies encourage national governments to build resilience into
critical infrastructure.
Within the scope of this book, this chapter on regulatory measures shall consider
the protection of industrial physical infrastructure and not social or economic net-
works but production plants and transport systems. More specifically, we shall focus
on the protection of the process industry encompassing primarily the energy and

Dr.Ir. Hans J. Pasman has been in various management positions in the Defense Research part
of the TNO Applied Research Organization for more than 30 years. He is Emeritus Chemical Risk
Management of the Delft University of Technology and currently Research Professor at the Mary
Kay O’Connor Process Safety Center (MKOPSC) of the Texas A&M University, College Station,
Texas, USA. The views presented in this chapter are his personal ones.

https://doi.org/10.1515/9783110499087-002

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
 2.1 Introduction to critical infrastructure protection and public safety and security 7

chemical industry but strictly speaking also steel making, food processing, and other
industry that in their processing have large quantities of materials with hazardous
properties. The security of nuclear power plants is a much older issue for which reg-
ulatory bodies and regulations have been in existence for many years and which will
not be described here, as we shall focus on measures taken this century in view of the
increased threats of terrorist attacks and extreme weather.
Perhaps the share of the chemical industry in the overall infrastructure is not
always recognized by the public. Chemical industry produces a large variety of mate-
rials and substances that we need in daily life and for which no natural resources
exist, either in quality or in quantity. One can think of fibers for clothing, building
materials, coatings, fertilizers, and thousands of other products, also supporting the
economy as a whole by producing materials used in further manufacturing processes.
Therefore, part of this industry is considered to be critical infrastructure. Some parts
of it can be considered to be of strategic interest, as these are unique sources of mate-
rials and substances that are crucial for maintaining economic and defense related
activities.
Threats are diverse; they will range from extreme weather effects to intentional
external attacks of facilities or sabotage. Terrorist attacks can have the goal of initiat-
ing a release of hazardous material that will threaten plant workers and the surround-
ing population to cause large scale economic damage or inhibit the use of certain
materials, or to steal materials or substances to fabricate lethal weapons. A terrorist
attacks can be by intrusion and access to facilities or by use of remote attack means
from outside either from land, ship, or air. This can be physical by means of weaponry
and explosive effects, or by using nuclear, biological, chemical, or radiological means
(NBCR) against people, or by cyber-attack interfering with process control.
Setting up a major part of the infrastructural systems has been initiated, guided,
and controlled by governments, and built and maintained by governmental agencies,
in some cases after private initiatives already taken became nationalized. However, in
particular in the 1990s within the background of a free global market philosophy of
higher efficiency, ownership of much of all infrastructure shifted to private enterprise.
As government remains accountable in a general sense for protection of infrastruc-
ture that is critically important to society, in the late 1990s and the early part of the
21st century the developed countries took initiatives in this respect. This trend was
strengthened in view of the increasing complexity of the economy driven by higher
demands and new technology, the larger interdependency of organizations and indi-
viduals and with that the increasing vulnerability of the well-being of society. Inci-
dents such as disastrous electricity “blackouts”, and attempts to intentionally inflict
damage such as spreading highly contagious diseases, and others made it clear that
something should be done.
So, in 1998 because of growing potential vulnerability, President Bill Clinton initi-
ated an action to establish protection of critical infrastructure by issuing Presidential
Directive PDD-63 [1]. This formed the start of a US National program on Critical Infra-

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
8 2 American legislation and regulatory measures: a lesson for Europe?

structure Protection, abbreviated as CIP. After the terrorist attack on the Manhattan
World Trade Center on September 11, 2001, efforts have been multiplied. By the Home-
land Security Presidential Directives, of which the first one appeared on October 29,
2001 [2], the main organizational anti-terrorist lines were been drawn. This was fol-
lowed with the Critical Infrastructures Protection Act of 2001 [3], while the Homeland
Security Act of 2002 [4] founded the Department of Homeland Security (DHS) and
made that department accountable for homeland security. Hurricane Katrina in 2005
and later hurricane disasters added to the necessity of having adequate preventive
and protection measures and increased resilience by being prepared.
Europe followed the development in the US with some delay. In 2004 the European
Commission was asked by the Council to develop a CIP strategy. A year later, on Novem-
ber 17, 2005 the Commission adopted the Green Paper [5] offering a number of policy
options. Near the end of 2006, the Commission provided an update to the Council on
its activities, entitled: On a European Programme for Critical Infrastructure Protec-
tion (EPCIP) [6]. Finally, 2 years later this resulted in Council Directive 2008/114/EC of
December 8, 2008 [7] on the identification and designation of European critical infra-
structures and the assessment of the need to improve their protection. The underlying
problems to arrive at a common European policy and the final content of the directive
will be treated in Section 2.3. For a more extensive summary of the history of CIP pro-
grams in the USA and in Europe, reference is made to the book of Alessandro Lazari [8].
The energy and IT/communications sectors have been always high on the priority
list of items to be protected. Driven by the requirement to protect the manufacture of
strategically important materials within one’s own country, to protect the population
around plants from violent phenomena in the case of an attack on a store of haz-
ardous material, and the threat of theft of explosive material ingredients, chemical
facilities have been also on the list.
In the next sections, we first shall take a more detailed look at the US regula-
tion, which has been installed over the last decade with respect to the infrastructure
sectors, and subsequently at the European regulatory measures.

2.2 US critical infrastructure protection actions

As mentioned above, after the initiative of President Clinton in 1998 to establish CIP
[1] it took until after the attack on the Twin Towers in 2001 and the attempts to spread
anthrax in 2002, for President Bush to sign the Homeland Security Act of 2002 [4]
establishing the Department of Homeland Security (DHS). The act clearly served the
purpose for federal, state, and local authorities and organizations of being better pre-
pared and able to respond to terrorism and to take preventive action. In addition, it
reinforced the critical infrastructure protection by bringing in the executive Federal
Emergency Management Agency (FEMA), which had existed since 1978, and a number

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
 2.2 US critical infrastructure protection actions 9

of other institutions with tasks in the case of major disaster under a newly formed
Directorate of Emergency Preparedness and Response of the DHS.
Further, the Directorate of Border and Transportation Security was established
under DHS. In addition to Customs Service, this directorate also contains the Trans-
portation Security Administration (TSA). The latter is charged with the security of, in
particular, airports, e. g., concerning explosives detection, in consultation with the
Federal Aviation Agency (FAA). As we shall see later, a number of security tasks with
respect to transportation of hazardous materials, which were under the wings of the
Department of Transportation shifted to the TSA of DHS. Quite a number of other
pre-existing entities, such as the US Coast Guard, were absorbed by the new depart-
ment (22 altogether according to Bucci and Inserra [9]). In 2006, DHS issued its first
National Infrastructure Protection Plan (NIPP) with updates appearing in 2009 and
2013 [10]. The plan provides general information on vision, mission, and goals, the CI
environment, fundamentals, collaborations, and action call.
The establishment of such a new department also gave rise to criticism. The
critics were concerned about the loss of individual freedom as a result of the powers
of the new department and the large costs it would incur. From an organizational
point of view not only the internal coordination of the various directorates would be
a huge task but also establishing many new liaising ties with other departments. In
any case, an important tie with respect to CIP in the physical sense is the one with the
Department of Energy (DoE) of which the CIP activity we shall consider next. A further
important physical security activity, which falls directly under the DHS, is implemen-
tation of the Chemical Facility Anti-Terrorism Standards (CFATS) Act [11] established
in 2007 and tracking of how it works out. We shall describe the act and regulations
and what it meant for the chemical industry in below.
However, before describing the organizations with a direct executive for CIP and
the measures they took, it is relevant to note some observations made by President
Obama in the 2013 Presidential Policy Directive – Critical Infrastructure Security and
Resilience, PPD-21 [12]. This directive came out after a decade of experience with DHS.
Obama’s directive re-emphasized how crucial functioning of critical infrastructural
assets, networks, and systems are to public confidence and to the US. The directive
uses words, such as “vital” to “safety, prosperity, and well-being of the Nation.” It
acknowledged the complexity of the problem. It also clearly coupled security with
resilience for the first time. The latter will make actions more complete, because
besides preventing and protecting, also emergency response, contingency, and recov-
ery are given more weight. CIP shall obtain more of a holistic system approach. CIP
shall not be improvised activity but planned and provided with necessary resources
to minimize damage. Strengthening of security and resilience shall be against both
physical and cyber threats, and all hazards shall be considered. The directive under-
scored shared responsibility for CIP of federal, state, local, tribal, and territorial (e. g.,
Puerto Rico) entities and that of owners and operators of the infrastructure. It even

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
10 2 American legislation and regulatory measures: a lesson for Europe?

Tab. 2.1: Sectors of CIP and SSA.

CIP Sector Sector Specific Agency

1 Chemical Department of Homeland Security

2 Commercial Facilities Department of Homeland Security
3 Communications Department of Homeland Security
4 Critical manufacturing Department of Homeland Security
5 Dams Department of Homeland Security
6 Defense Industrial Base Department of Defense
7 Emergency Services Department of Homeland Security
8 Energy Department of Energy
9 Financial Services Department of the Treasury
10 Food and Agriculture Department of Agriculture and Department
of Health and Human Services
11 Government Facilities Department of Homeland Security and
General Services Administration
12 Healthcare and Public Health Department of Health and Human Services
13 Information Technology Department of Homeland Security
14 Nuclear Reactors materials and Waste Department of Homeland Security
15 Transportation Systems Department of Homeland Security and
Department of Transportation
16 Waste and Wastewater Systems Environmental Protection Agency

announced engagement with international partners to strengthen their domestic CI

if the US also depends on it. After stressing the interconnectedness and interdepen-
dency of the infrastructure, the directive identified energy and communications as
the main enablers for all sectors.
The directive announced three strategic imperatives for the Federal Govern-
ment clearly addressing weaknesses in the past: 1) refining and clarifying functional
relationships across the government, 2) identification of baseline data and systems
requirements, and 3) implementation of an integration and analysis function to
inform planning and operations decisions. Secretary DHS leads the efforts strategi-
cally, and the Sector Specific Agencies (SSAs) conduct all that is needed. The roles and
responsibilities of DHS as a department with respect to vulnerability assessments, sit-
uational awareness, and coordination of activities are spelled out. Moreover, the tasks
of a number of other departments, commissions and agencies to provide information
or contributing otherwise are described.
Then, the imperatives are explained in more detail, and attention is paid to inno-
vation and research and development. Finally, an action plan with a time schedule
is given to achieve the goals specified in the directive. For example, within 240 days
the Secretary DHS shall demonstrate “near real-time situational awareness capability
for critical infrastructure that includes threat streams and all-hazards information as
well as vulnerabilities” DHS shall further provide the status of critical infrastructure
and potential cascading effects, support decision making and disseminate all infor-

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
 2.2 US critical infrastructure protection actions 11

mation needed to contain damage throughout an incident. Metrics shall be developed

to measure abilities and risks and updated regularly when changes are observed. The
CIP plan as a whole must be updated, including the functional relationships within
DHS, across federal departments, and the public–private partnerships (PPS), intro-
duced by President Clinton’s PDD [1], evaluated, and if necessary improved.
The directive PPD-21 distinguishes 16 CIP sectors and their lead agencies. These
are summarized in Table 2.1. Relevant for the remaining of this chapter on process
industry are energy and chemicals with their respective SSAs, the Department of
Energy, and the Department of Homeland Security. In both cases, hundreds of private
companies own and operate the assets.
The Center for Infrastructure Protection and Homeland Security of the George
Mason University, School of Business in Arlington, Virginia, is an example of a uni-
versity that conducts comprehensive analyses and research to improve the safety and
security of the United States and its allies across all critical infrastructure sectors. It
is involved in CIP-related education and also issues the monthly CIP Report [13] with
topics and news related to themes such as the energy sector or resilience.

2.2.1 Energy security and assurance

The nuclear part of energy, nuclear power stations with everything that belongs to
them such as nuclear waste and waste processing, which emanated from nuclear
weapons development, has been already been the subject of health, safety, security,
and environmental regulations for many years. In this context, it has been subjected
to oversight by commissions, e. g., the Nuclear Regulatory Commission, and inspec-
tion by independent authorities. The Department of Energy has been dealing with
issues adhering to adequate risk control for many years. So, the increased vigilance
with respect to possible terroristic attack arising at the beginning of this century can
be considered as an enhancement and not as the completely new element it has been
for the chemical industry, as we shall see in the next section.
Because of the many players in the field of power generation and delivery, both
governmental and the private Department of Energy (DoE) have set up a special Office
of Enterprise Assessment (EA) to carry out DoE’s Independent Oversight Program to
assure safety and security, see oversight implementation, DOE Order 226.1B [14] and
its program, DOE Order 227.1A [15]. The program consists of conducting appraisals
with the assistance of trusted agents. Naturally, EA shall be given all information
requested and access to plants. The appraisals may contain force-on-force security
exercise testing. Findings shall be documented, but imminent dangers or major vul-
nerabilities shall be notified immediately to the manager involved. EA is described in
Independent Oversight Program Appraisal Process Protocols in more detail as well
as how an appraisal is conducted [16]. The focus here is on nuclear installations and
materials. EA reports to Congress [17] at the end of the year.

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
12 2 American legislation and regulatory measures: a lesson for Europe?

The DoE Office of Electricity Delivery and Energy Reliability (OE) is responsible
for security and resilience of the grid. The Assistant Secretary for Electricity Delivery
and Energy Reliability, Patricia Hoffman, in her testimony for the House in 2015 [18]
gave an overview of current and expected challenges such as the diversity of green
sources of electricity connected to the grid in addition to the conventional ones and
the load by the possible future mass market of electric cars. With respect to the fiscal
year 2016, she made a plea for investments in the grid with a priority on protection of
the grid from all hazards, secondly to invest in transformer resilience, and thirdly in
cyber security.
It can therefore be concluded that protection of critical energy infrastructure cap-
tures attention on a national level, is covered by regulation, and that there is a sincere
political will to invest in the required strengthening.

2.2.2 Chemical facility anti-terrorism standards

A special policy regarding the chemical industry was not foreseen yet in the Home-
land Security Act of 2002 [4]. It was only late in 2006 that Section 550 of the Home-
land Security Appropriations Act gave DHS the authority to promulgate a special
(interim final) rule concerning prevention of terroristic attack at facilities of the chem-
ical industry, and this was signed in 2007. This rule became the Chemical Facility
Anti-Terrorism Standards (CFATS) Act, of which the latest version was signed in 2014,
see [19]. In fact, three possible terrorist/criminal operations must be thwarted. These
are 1) intentionally causing disastrous mishap that would cause a major hazard to
personnel and residential population; 2) disrupting a process installation so that the
strategic supply of certain materials is interrupted or completely destroyed; 3) theft
of materials that can be used to fabricate explosives, or highly toxic chemical agents.
Such operations can be realized from outside by intrusion, or from inside by act of
sabotage. The intrusion can be cyber wise: hacking controls or even taking over the
operation remotely. It can also be physically carried out through release of hazardous
material due to damaging/rupturing/ penetrating tanks, vessels, or piping by explo-
sive blasts. The latter can also be realized by flying over a plant area, e. g., by drone.
Before we go into more detail about the contents of the CFATS and the organiza-
tion to implement and maintain it, Presidential Executive order 13650 of August 1, 2013
[20] will be mentioned. This order was prompted by the disastrous ammonium nitrate
(AN) detonation accident initiated by fire that killed 15 people, the majority fire fight-
ers, and caused colossal damage in the town of West, in Texas on April 13, 2013. The
accident was thoroughly investigated by the Chemical Safety Board [21]. The accident
showed once again that hard prilled Fertilizer Grade AN (FGAN) can detonate in a fire;
the 30 t portion of AN that detonated had been stored in combustible plywood bins
inside a storage building containing 40–60 t AN in total, while a railcar present on the
site contained another 100 t. (The railcar overturned but the cargo did not detonate.

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
 2.2 US critical infrastructure protection actions 13

Also, 17 t anhydrous ammonia was stored in pressure vessels and did not escape.) The
West Fertilizer Company had not notified DHS of the amount of AN being stored. (The
plant had many times more in store than the amount threshold for required notifica-
tion, the so-called “top screen” submittal.) In 2016, the Federal Bureau of Investiga-
tion issued a notice seeking information on any information leading to the arrest of
individuals involved in intentionally causing the West explosion, which confirmed
that the investigation concluded that this was not an accidental event.
The executive order established a working group (WG) co-chaired by the Sec-
retaries of DHS and Department of Labor and by the Administrator of The Environ-
mental Protection Agency (EPA) and further consisting of representatives of various
other departments and entities. The WG was ordered to accomplish within certain
time periods a fair number of tasks with the goal to improve communication and col-
laboration with respect to safety and security between federal agencies, State regu-
lators, and state, local, and tribal emergency responders, chemical facility owners
and operators, and communities. The WG was further asked to consult the Chemical
Safety and Hazard Investigation Board (CSB) whether existing working arrangements
with and between Environmental Protection Agency (EPA), the Bureau of Alcohol,
Tobacco, Firearms and Explosives (ATF), and the Occupational Health and Safety
Administration (OSHA) should be improved. The WG was to consider whether mod-
ernization of policy, regulations, and standards is required, while EPA and OSHA was
to scrutinize the two main safety regulations for the process industry, the Risk Man-
agement Program rule and the Process Safety Management rule, respectively. The WG
was also to identify best risk management practices. This all shows how serious US
leadership takes these matters. In May 2014, the group reported (in 121 pages) prog-
ress to the President [22] on actions already taken and future actions planned. Local
emergency planning should be strengthened, the same holds for federal coordination
and data exchange; OSHA sent out a Request for Information to stakeholders on what
should be improved in the Process Safety Management standard, while EPA is train-
ing inspectors and planning modernization of the Risk Management Program rule.
Finally, stakeholder feedback is being collected and best practices developed. The
latter resulted in RAGAGEP (Recognized and Generally Accepted Good Engineering
Practices) being enforced by OSHA.
Back to CFATS: the rule 6 CFR Part 27 of 2006 [22] established risk based perfor-
mance standards. The rule explains to which type of facilities it applies and which
form of a security risk. Chemical facilities that possess so-called chemicals of interest
(COIs), being hazardous materials (substances) listed in Appendix A of the rule in a
quantity over a certain threshold, must fill out and submit a top screen form. We shall
come back to the procedure to be followed, but first some explanation of the standards
is given. Congress did not give DHS the authority to specify any security measure –
instead only to develop performance standards that must be met based on risk. In
2009, 3 years after the rule was published, a CFATS guidance document [23] came out
focusing on the standards to be realized by owners and operators of chemical facili-

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
14 2 American legislation and regulatory measures: a lesson for Europe?

ties. This document explains backgrounds, reasons, and modus operandi of CFATS,
and assists a user in how to comply with the law. Fundamental is the meaning of a per-
formance standard as applied in CFATS versus a design or technology-based standard.
The former leaves a user free how to comply as long as the performance is achieved
(goal oriented, and more cost-effective), whereas the latter prescribes exactly what
must be done. There are 18 standards; these are summarized in Table 2.2. Each stan-
dard is explained in detail, while in tabular form metrics are shown with correspond-
ing measures for each tier number of a facility, where, of course, the heaviest measures
are to be applied for Tier 1. Details of the various possible measures are given in an
appendix. The SSPs must include the measures taken to comply with the standards.
For following the application and plan submission procedures, DHS developed
the online Chemical Security Assessment Tool (CSAT). This is a secure electronic, inte-
grated system with which a user can provide the needed information online. Subse-
quently, DHS will assign the facility with one of four tiers, with tier 1 constituting the
highest risk. An assigned and notified facility must conduct a security vulnerability
assessment (SVA) and develop a site security plan (SSP). These two exercises are both
performed by going online with CSAT and answering questions about the facility,
while an instruction manual assists by

Tab. 2.2: Chemical Facility Anti-Terrorism Standards ([23], Section 27.230)

1 Restrict Area Perimeter. Secure and monitor the perimeter of the facility
2 Secure Site Assets. Secure and monitor restricted areas or potentially critical targets within the
facility
3 Screen and Control Access. Control access to the facility and to restricted areas within the facil-
ity by screening and/or inspecting individuals and vehicles as they enter, including:
(i) Measures to deter the unauthorized introduction of dangerous substances and devices that
may facilitate an attack or actions having serious negative consequences for the population
surrounding the facility and
(ii) Measures implementing a regularly updated identification system that checks the identifica-
tion of facility personnel and other persons seeking access to the facility and that discourages
abuse through established disciplinary measures
4 Deter, Detect, and Delay. Deter, detect, and delay an attack, creating sufficient time between
detection of an attack and the point at which the attack becomes successful, including mea-
sures to:
(i) Deter vehicles from penetrating the facility perimeter, gaining unauthorized access to
restricted areas or otherwise presenting a hazard to potentially critical targets
(ii) Deter attacks through visible, professional, well-maintained security measures and
systems, including security personnel, detection systems, barriers and barricades, and hard-
ened or reduced-value targets
(iii) Detect attacks at early stages, through countersurveillance, frustration of opportunity to
observe potential targets, surveillance and sensing systems, and barriers and barricades and
(iv) Delay an attack for a sufficient period of time to allow appropriate response through on-site
security response, barriers and barricades, hardened targets, and well-coordinated response
planning

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
 2.2 US critical infrastructure protection actions 15

Tab. 2.2: (continued) Chemical Facility Anti-Terrorism Standards ([23], Section 27.230)

5 Shipping, Receipt, and Storage. Secure and monitor the shipping, receipt, and storage of
hazardous materials for the facility
6 Theft and Diversion. Deter theft or diversion of potentially dangerous chemicals
7 Sabotage. Deter insider sabotage
8 Cyber. Deter cyber sabotage, including by preventing unauthorized on-site or remote access to
critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems,
Distributed Control Systems (DCSs), Process Control Systems (PCSs), Industrial Control
Systems (ICSs) critical business systems and other sensitive computerized systems
9 Response. Develop and exercise an emergency plan to respond to security incidents internally
and with the assistance of local law enforcement and first responders
10 Monitoring. Maintain effective monitoring, communications, and warning systems, including:
(i) Measures designed to ensure that security systems and equipment are in good working
order and inspected, tested, calibrated, and otherwise maintained
(ii) Measures designed to regularly test security systems, note deficiencies, correct for detected
deficiencies, and record results so that they are available for inspection by the Department and
(iii) Measures to allow the facility to promptly identify and respond to security system and
equipment failures or malfunctions
11 Training. Ensure proper security training, exercises, and drills of facility personnel
12 Personnel Surety. Perform appropriate background checks on and ensure appropriate creden-
tials for facility personnel, and, as appropriate, for unescorted visitors with access to restricted
areas or critical assets, including:
(i) Measures designed to verify and validate identity
(ii) Measures designed to check criminal history
(iii) Measures designed to verify and validate legal authorization to work and
(iv) Measures designed to identify people with terrorist ties
13 Elevated Threats. Escalate the level of protective measures for periods of elevated threat
14 Specific Threats, Vulnerabilities, or Risks. Address specific threats, vulnerabilities, or risks
identified by the Assistant Secretary for the particular facility at issue
15 Reporting of Significant Security Incidents. Report significant security incidents to the Depart-
ment and to local law enforcement officials
16 Significant Security Incidents and Suspicious Activities. Identify, investigate, report, and main-
tain records of significant security incidents and suspicious activities in or near the site
17 Officials and Organization. Establish official(s) and an organization responsible for security and
for compliance with these standards and
18 Records. Maintain appropriate records.

explaining how to use the tool, what data on the facility and its operations to provide,
and suggesting options for answers. Before using CSAT SSP, the user must receive
chemical terrorism vulnerability information (CVI) training. Based on the information
provided, the tier number of the facility may be adapted. The required degree of thor-
oughness and detail of SVA and SSP will depend on the tier number.
Altogether, the process is described in four guidance documents published in the
period 2008–2011 [24–27]. This was followed by an information brochure [28] for the
sector in 2012, which provided many hints and clues to identify and recognize security
threats. It contains a table of evacuation distances in the case of a vehicle borne impro-

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
16 2 American legislation and regulatory measures: a lesson for Europe?

vised explosive device (VBIED), which might contain as much as 30 t explosives. It also
gives suggestions to counter cyber threats, and how and what to report if suspicious
activity is observed. Before the decision of compliance with the CFATS Act is made,
inspections are held, while assistance by DHS is offered in the preparation stage.
In 2014, Dana A. Shea of the Congressional Research Service [29] reported about
the state of play of the implementation of CFATS. Based on available information
Shea concluded that DHS incurs an increasing backlog. The difference in the number
of sites that have received a final tier assignment and have actually been inspected,
and those that have had their site security plan authorized is increasing. A review
of whether the plan complies with the standards can take a considerable amount of
time and may require discussion with the owner or operator. The expectation is that
eliminating this backlog will still take several years. An accurate prediction could not
be given.
For industry the series application of registration, top screen, SVA and SSP led to
long delays in determining their risk, and hence, to uncertainty on investment for pos-
sibly required security upgrade. In 2015, following critical remarks in Congress and
industry about the long implementation delays, DHS issued the Expedited Approval
Program for Tier 3 and 4 facilities [30] to reduce backlog. To further involve the chemi-
cal industry community DHS organizes annual chemical sector security summits and
issues fact sheets with news and guidance. In 2006, DHS also established the Chemi-
cal Security Analysis Center (CSAC) to assess and identify vulnerabilities and respond
to potential chemical threats and hazards. This center, located in Aberdeen, MD, ini-
tiated, e. g., the Jack Rabbit II chlorine dispersion trials to verify and validate models.

2.2.3 Maritime Transportation and Security Act 2002

About a year after the Twin Tower attack, the Maritime Transportation and Security
Act 2002 [31] was promulgated. Obtaining this law was urgent because the US has
many ports and large tonnages of goods and materials pass these ports. In addition,
at the time, ferries transported 113 million people a year and 32 million vehicles.
These numbers were growing. Also, the cruise line industry formed a risk. Ports are
relatively open and vulnerable to terrorism, while an investigation a few years before
revealed that this was also true for criminal activity such as smuggling and others.
Moreover, as described at the end of this section, the International Maritime Organi-
zation meanwhile developed a new security system that should be followed. Respon-
sibility for executing the law was attributed to the US Coast Guard, although at the
time of promulgation it was not sure yet under which department it would function
as the Department of Homeland Security was not yet founded. After DHS was estab-
lished in the same year, the Coast Guard became DHS’s military muscle.
The Act regulated the conduction of vulnerability assessments of ports and
vessels, and the preparation of a National Maritime Transportation Security Plan

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
 2.2 US critical infrastructure protection actions 17

under which Area Maritime Transportation Security Plans comprising security zones
are developed. The Act introduced “avant la lettre” quite a few modes of operation in
executing the law as later have been implemented in CFATS, such as requiring owners
and operators of vessels and facilities to prepare and submit a Vessel and Facility
Security Plan within a period of 6 months.
The detailed security regulation can be found in 33 Code of Federal Register,
Chapter I, Sub-chapter H Maritime Security, Parts 101–107 [32] in which 103–106
describe Area, Vessels, Facilities and Outer Continental Shelf Facilities security,
respectively. Part 128 treats security of passenger terminals.
In this context, the International Ship and Port Facility Security Code (ISPS Code)
promulgated by the International Maritime Organization and coming into force in
2004 is also mentioned. This code serves to protect ships and port facilities against
terrorist acts by specifying a set of minimum requirements, such as preventing unau-
thorized access to port restricted areas and vessels, and the unauthorized bringing
in of weapons or explosives. This encompasses cooperation in security with respect
to threat detection and prevention means, exchange of information, and assessment
methods, as well as security plans and procedures. Development of the code was ini-
tiated after the attack on the New York WTC Twin Towers in September 2001, and the
text was agreed upon by the 108 SOLAS (International Convention for the Safety of
Life at Sea) signatories in 2002.

2.2.4 T
 ransportation security of hazardous materials

Within DHS, the Transportation Security Administration (TSA) is among other tasks
charged with the security of transportation of hazardous materials by any mode:
road, rail, air, water, and pipeline. Coordination of DHS’s TSA and the Department of
Transportation (DOT) became institutionalized with the Homeland Security Act 2002
[4]. Homeland Security Presidential Directive No. 7, December 17, 2003, Critical Infra-
structure Identification, Prioritization and Protection (HSPD-7) [33] ordered that DOT
and DHS must collaborate in regulating the transportation of hazardous materials by
all modes (including pipelines). This resulted in a Memorandum of Understanding
(MOU) between DOT and DHS arranging how to coordinate, exchange information,
and assist each other. For example, a 2006 Annex to this MOU between TSA and the
Pipeline and Hazardous Materials Safety Administration (PHMSA) [34] detailed this
collaboration further. Another MOU involving as a third partner the Nuclear Regula-
tory Committee is about the security of radioactive material transportation and was
signed in 2015 [35].
In connection with security of hazardous materials transportation, further steps
have been taken and a series of additions/amendments prepared to cover security
aspects in the extensive existing safety rules of Title 49 CFR [36]. This encompasses
Parts 172.802–822 on Safety and Security Plans, Parts 174 Carriage by Rail, Parts 175

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
18 2 American legislation and regulatory measures: a lesson for Europe?

Carriage by Aircraft, Parts 176 Carriage by Vessel, Parts 177 Carriage by Public
Highway, Parts 190–196 Pipeline safety (Natural and other gases, LNG, oil, and haz-
ardous liquids), and Parts 1520–1580 on the security of airport and related activities.

2.3 The EU critical infrastructure protection directive

The events in the US in 2001 were followed closely in Europe. In 2004, the European
Council (Heads of Member States plus the President of the European Commission –
EC) prepared a strategy for CIP. The EC organized two seminars with stakeholders,
the second one including industry to ask for suggestions. This resulted in the 2005
Green Paper [37] setting out the main objectives of a European Programme for Critical
Infrastructure Protection (EPCIP), and a supporting CIWIN, a Critical Infrastructure
Warning Information Network). The paper also posed a number of questions of what
the boundaries of the program should be in view of effectiveness and the common
interest of an EPCIP on the EU level with regard to national CIPs. It introduced the
concept of a European CI (ECI) where there is a cross-border common interest versus a
national CI (NCI). In 2006, a proposal [38] was brought out for a directive and funding
for the period 2007–2013. As is the case in the US, it stated with respect to the threats
that terrorism would have priority but that the approach would be “all hazards”. It
further specified the principles to be followed in EU membership connection: subsid-
iarity, complementarity, confidentiality, stakeholder cooperation, and proportional-
ity; while it foresaw a sector-by-sector approach.
In a press conference release [39] that same day in December 2006, 11 sectors
were named:
1. energy
2. nuclear industry
3. information, communication technologies (ICT)
4. water
5. food
6. health
7. financial
8. transport
9. chemical industry
10. space
11. research facilities

It formulated what an ECI should be, what obligations the EC could impose on owners
and operators in view of CIP, what kind of costs these should incur, and what the
improvement should be.
The EC also redirected its Joint Research Centre (JRC) with its main location in
Ispra, Italy, to support policies with respect to security in conjunction with safety.

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
 2.3 The EU critical infrastructure protection directive 19

This resulted in activities such as the coordination of the knowledge and research
facilities sharing European reference network for critical infrastructure protection
(ERNCIP), resilience analysis, and research for protection of communications and
navigation with its space components, and physical protection of buildings.
In its preamble, the 2008 Council Directive [40] summarizes the evolution of EPCIP
and how it is built on the premise that the Member States have the ultimate responsi-
bility for the protection of the CIP within their borders, and that it is just the task of the
EU in the common interest to identify transborder ECI. An ECI is an infrastructure that
when severely damaged or destroyed will have an effect in the Member State (MS) where it
occurs and will also have an impact on another MS. Effects will be possible fatalities and
injuries, significant economic effects and loss of public confidence, physical suffering, or
societal disruption. Identification of risks, threats, and vulnerabilities of ECIs is essential.
This shall be performed by MSs and shared in a generic sense with the Commission. Rules
of maintaining confidentiality both nationally and by the EU shall be followed.
Initiative in designating what an ECI is belongs to the MS where the CI is located,
and this MS will start bilateral discussions with potentially affected other MSs in
which the Commission may participate. In the case when an infrastructure is not
designated as such, and another MS suspects it will be affected when this infra-
structure is damaged, it can inform the Commission, which will attempt to initiate
discussion.
For each ECI an Operator Security Plan will be drawn up according to a procedure
described in an Annex to the Directive. Contact between the operator/owner of an ECI
and the authority responsible in the MS shall be via a Security Liaison Officer. Within
1 year for each ECI, a threat assessment will be made and each 2 years risks, threats,
and vulnerabilities in an ECI sector will be reported to the Commission. The sectors
in which ECIs can be found are mentioned in Annex 1 of the Directive and are repro-
duced here in Table 2.3.

Tab. 2.3: ECI sectors mentioned in the 2008 EU CIP Directive [40]
Sector Sub-sector

Energy 1 Electricity Infrastructures and facilities for generation and transmission

of electricity in respect of supply electricity
2 Oil Oil production, refining, treatment, storage and transmission
by pipelines
3 Gas Gas production, refining, treatment, storage and transmis-
sion by pipelines
LNG terminals
Transport 4 Road transport
5 Rail transport
6 Air transport
7 Inland waterways transport
8 Ocean and short- sea shipping and ports

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
20 2 American legislation and regulatory measures: a lesson for Europe?

In conclusion, the EU has established a framework for CIP and takes a coordinat-
ing role to protect against potential incidents with cross-border effects, both with
respect to designation and exchange of information and state of the ECI. It is also
coordinates and funds research, e. g., in 2016 within the Horizon 2020 EU Framework
program research proposals were invited for CIP-01–2016-2017: prevention, detection,
response, and mitigation of the combination of physical and cyber threats to the crit-
ical infrastructure of Europe. However, the majority of actual security measures is to
be taken on a national basis.
The 2008 Directive [40] has been transposed in national law over the years follow-
ing the entry into force in early 2009. In 2012, a review of the Directive was reported
[41], showing that although there have been good examples, ECI identification could
have been much better. As a side benefit the Directive increased the CIP importance
awareness. Lazari [8] provides an overview of the titles of the national laws adopted
in the various EU countries, commented on the implementation of the Directive, the
fuzziness about its effectiveness, problems arising, and commented on a possible
future role of the Commission. Activity on a revision of the directive commenced. The
fundamental question has been asked again as to what sectors should be included.
In 2011, the MS gave their opinion that it should be those sectors in which potential
transnational and over countries cascading damaging events of CI can occur. This
should include security of ICT, securing the dependency on space assets, e. g., nav-
igation, securing infrastructure for financial transactions, food supply in view of
transport and energy, and in the health sector protection against pandemics, securing
pharmaceutical supplies, and other dependencies. In 2013, a Commission Working
Document [42] appeared with a new approach to EPCIP proposing that the Commis-
sion should give support with respect to prevention (by risk assessment and manage-
ment), to preparedness strengthening (contingency planning, stress tests, awareness
raising, training, joint courses, exercises, and staff exchange), and response to weak
signals. However, the limited mandate of the Commission does not give much leeway
and given national political developments, one can question whether this leeway will
become any wider.
Internet hacking activity can also be applied to disturb process control and
interfere with programmable logic systems, including safety instrumented systems.
Although of much wider interest than the limited scope of this chapter concerned
with protection of process industry, it is good to sketch the main stream of policy
developments with respect to ICT Cyber Security. It will also help to understand
features in national regulation to be treated in the next chapter. ICT Cyber Security
has had a special position in the EU since the foundation of the European Union
Agency for Network and Information Security (ENISA) in 2004. Protection against
cyber-attacks is a global issue. The Commission’s communication in 2009 about
Critical Information Infrastructure Protection (CIIP) [43] also contained, following
initiatives in some MS, an announcement of a European Public-Private Partnership

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
 2.4 Some European national solutions 21

for Resilience (E3PR). This will make ENISA work together with national organiza-
tions and private telecom providers. One of the recommendations of the Centre for
European Policy Studies (CEPS) in Brussels on CIP [44] in 2010 was also to build
PPPs for trusted information sharing. By the way, other recommendations of CEPS,
on first sight based on quite rational grounds, were to strive for a holistic and more
centralized European approach of CI(I)P, which as we have seen above is in contrast
with actual development.
Similarly to in the US after also having made a proposal, the EU issued early on a
directive on port security. This became Directive/2005/65/EC [45].

2.4 Some European national solutions

Lazari [8] presented a table with the information on the implementation of the Direc-
tive into national law of the various MS (with exception of Estonia, Finland, and
Ireland), which is here reproduced as Table 2.4. It will not be practical to describe
solutions of all 27 EU MS in detail. Instead, two will be selected: Belgium and The
Netherlands, which are two neighboring countries that have ECIs in common and
have quite different approaches to the follow up of the 2008 Directive.
Belgium issued a special law on securing critical infrastructures [46] in 2011, fol-
lowing fairly closely the Directive. The law details the national organizational struc-
ture, designation of ECIs and NCIs, and relationships and points of contact with CI
owners/operators. It prescribes the period in which a risk analysis identifying threat
scenarios, a vulnerability analysis, and security plans are to be made and measures
implemented. It regulates exchange and use of information, and competence of justice
and police. The sectors of critical infrastructure mentioned in the law are electricity
(power plants and transmission – nuclear power is treated separately; oil and gas –
production, refining, storage, and pipeline transmission), transportation (road, rail,
air, ship), the financial sector, and electronic communication. The process industry
is only partially mentioned under the heading refining of oil and gas and it does not
integrally include the chemical industry.
In 2006, The Netherlands founded a Contact group on Critical Infrastructure (SOVI
= “Strategisch Overleg Vitale Infrastructuur”) [47] in which several ministries, the
industry association VNO-NCW, and each critical infrastructure sector are repre-
sented. This was followed in 2008 by the founding of the National Advice Centre
Critical Infrastructure (NAVI = “Nationaal Adviescentrum Vitale Infrastructuur”),
which was dissolved in 2010, while experts involved in NAVI founded a coopera-
tive National Security Advisory Centre (NSAC) [48] for organizational and technical
advice and risk assessment for government and industry. Expertise includes process
industry security. An amendment to the Harbor Security law (“Havenbeveiliging-
swet”, [49].) was announced in 2007.

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
22 2 American legislation and regulatory measures: a lesson for Europe?

Tab. 2.4: Implementation of EU Directive 2008/114/EC in National Law of MS [8]1

Member State Implementation measure

Austria Amendment made to the national framework through specific administrative

measures entered into force on January
Belgium “Wet betreffende de beveiliging en de bescherming van de kritieke infra-
structuren”; “Loi relative à la sécurité et la protection des infrastructures
critiques”— entered into force on July 15, 2011
Bulgaria Decree n. 18 “identifying and designating European critical infrastructures
and the measures for their protection” entered into force on February 1,
2011
Cyprus Regulations on the “Identification and Designation of European Critical
Infrastructures and the Assessment of the Need to Improve their Protection”,
entered into force on January 20, 2011
Croatia National law on Critical Infrastructures n. 56/2013
Czech Republic Amendment of the ACT n. 240 on Crisis Management entered into force on
June 28, 2000 through the Government Regulation No. 431/2010—amend-
ing Government Regulation No. 462/2000—and the Government Regulation
No. 432/2010 “criteria for determining the elements of critical infrastructure”
Denmark Promulgation of sector-specific Executive Orders: 1339/2007 (prevention of
crimes against aviation security), 7/2011 (road-transport sector), 11/2011
(the identification and designation of European critical infrastructure in the
energy sector), 1726/2010 (port security), 1461/2010 (railway sector),
6/2006 (ship domestic services)
France Decree and the General Inter-ministerial Instruction N. 6600 SGDN/PSE/ PPS
of September 26, 2008
Germany National Laws revising the energy industry regulation (entered into force on
August 4, 2011) and the protection of transmission systems (entered into
force on January 10, 2012)
Greece Adaptation of Greek legislation to the Directive 2008/114/EC through the
Presidential Decree N. 39 entered into force on
Hungary Resolution No. 1249/2010 of the Government of the Republic of Hungary on
European Critical Infrastructures and the assessment of the need to improve
their protection
Italy Legislative Decree n. 61 entered into force on May 4, 2011
Latvia Regulations N. 496 of the Cabinet of Ministers “Procedures for the Identifica-
tion of Critical Infrastructures and European Critical Infrastructures”
Lithuania Resolution N. 943 entered into force on August 24, 2011 and spector-spe-
cific Executive Orders
Luxembourg “Règlement grand-ducal portant application de la directive 2008/114/CE du
Conseil du 8 décembre 2008 concernant le recensement et la désignation
des infrastructures critiques européennes ainsi que l’évaluation de la né
cessité d’améliorer leur protection” entered into force on March 12, 2012

1 Estonia, Finland, and Ireland are missing from this table. Non-appearance does not mean that these
countries are not active in CIP, on the contrary, but in their legislation the Directive is not easily traceable.

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
 2.4 Some European national solutions 23

Tab. 2.4: (continued) Implementation of EU Directive 2008/114/EC in National Law of MS [8]

Member State Implementation measure

Malta Regulation N. 434 on “Critical Infrastructures and European Critical Infra-

structures (Identification, Designation and Protection)” entered into force on
November 8, 2011
The Netherlands Amendment to the National CIP framework through the publication of the
implementation program and requirement on the Official Gazette on the 23rd
of December 2010
Poland Act of October 29, 2010 on Crisis Management, Ordnances of the Council
of Ministers of April 30, 2010 on the “national programme for Critical
Infrastructure Protection” and “plans for the protection of critical infra-
structures”
Portugal Decree-Law N. 62 “procedures for the identification and protection of critical
infrastructure for health, safety and economic, social well-being, energy and
transport and transposing the Directive 2008/114/EC” entered into force on
May 9, 2011
Romania Emergency Ordinance on the identification, designation and protection of
critical infrastructures, entered into force on November 16, 2010 and Govern-
ment Decision on the composition, powers and organization of the Inter-in-
stitutional Working Group on Critical Infrastructure Protection entered into
force on November 12, 2010
Slovakia Act N. 45 on “Critical Infrastructures” entered into force on March 1, 2011
Slovenia Decree n. 1799 on “European Critical Infrastructure” entered into force on
May 12, 2011
Spain Law N. 8/2011 for the Protection of Critical Infrastructure (entered into force
on April 30, 2011) and Royal Decree N. 704/2011 “Regulation for the Protec-
tion of Critical Infrastructure” entered into force on May 22, 2011
Sweden Ordinance N. 611-2009 amending the Ordinance 1002-08 “Swedish Civil
Contingencies”, Ordinance N. 513-2012 amending the Ordinance 1119-
2007 “instruction to Swedish enterprises in the energy sector”, Ordinance N.
793-2012 amending the Ordinance 185-2010 “instruction for the transport
administration”, Ordinance N. 512-2012 amending the Ordinance 1153-
2007 “instruction for the Swedish Energy Agency”
UK –– Administrative Arrangement for amending the CPNI procedures in view
to including those related to the assessment of the identification and
designation of ECIs.
–– Gibraltar: amendment to the Civil Contingencies Act of 2007 (Gibraltar
Gazette No. 3849 of May 12, 2011)

So far, we have treated CI in isolation and more specifically the physical protec-
tion aspect of it, and that in this chapter in relation to the potential hazards by the
presence of process industry. We now come to a relatively new aspect of govern-
ment policy that will hold also in the case of other countries but certainly in The
Netherlands. Safety and security measures run parallel with respect to prevention
of and protection from undesirable outcomes to people and the environment. Peo-

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
24 2 American legislation and regulatory measures: a lesson for Europe?

ple’s risk level acceptability has decreased over the years, and the accountability
of governments to provide safety and security has become more demanding. At the
same time, due to lack of space for settling and hence smaller free distances, more
intense use of traffic routes, increased industrial activities, intensified storms and
enhanced chance of flooding resulting from climate change, higher terrorist threat,
et cetera, both risk potential and exposure has significantly increased. Therefore,
stimulated by international bodies such as UN and OECD, more emphasis is dedi-
cated to disaster preparedness and management with overarching resilience build-
ing.
Thus, based on a proposal to parliament in 2006 and following a British example, in
2007 the Dutch government approved the National Strategy on Safety and Security
(“Nationale Strategie Veiligheid”, [50]). Critical infrastructure protection is just an
element in this, also because of linguistic details as the Dutch noun “veiligheid,”
which encompasses both safety and security, while critical infrastructure is called
vital infrastructure (“vitale infrastructuur”) in Dutch. This designation may have
an effect of lowering the visibility of CIP and the critical importance of resilience
to achieve acceptable security. Working out the strategy led to a major activity in
the years following of risk assessment of potential major disasters in the country
resulting in a risk profile presented as a risk matrix per region and risk management
to determine an optimal distribution of funding in preventive and protective mea-
sures, and organizational preparedness. A manual for determining the risk profile
was published in 2009 [51], while the newest version is that of 2016 [52]. In contrast
to, e. g., Belgium, this profile encompasses the process industry as a whole as it
explicitly mentions “chemical disasters”. The division into so-called safety regions
(“veiligheidsregio’s”) has been in view of effective emergency response command
and control. All this was established by a 2010 law (Wet Veiligheidsregio’s, [53]).
It can, therefore, be understood that the Directive 2008/114/EC [7] was not imple-
mented by a separate law, but by an implementation action plan embedded in exist-
ing regulation. The plan was communicated in the Official Gazette (“Staatscour-
ant”, [54]) in 2010.

2.5 Conclusions

In the US, a broad and relatively intense effort has been displayed to improve the
protection of the process industries. The legal structure has been built and the com-
pliance effort is underway. It takes time and energy, but due to the online set p and
the training of people involved, a high degree of efficiency is expected to be achieved.
As inspection is part of the effort, in due time an overview of the state of affairs will
exist on the federal level.

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
 2.5 Conclusions 25

Europe followed the pattern with a few years’ delay. As an EU activity it was able
to initiate a reference framework and actual activity on cross border infrastructure,
but the brunt of the effort was within the MS. EU directives have been absorbed by
national law. The execution of the directives differs greatly between countries. Some
have a specific law on security, others integrate security within existing regulation,
aiming to be prepared for various disastrous events. An overview on the central level
of threats and risks will exist only for the critical infrastructure designated as ECI. In
Table 2.5 the mentioned differences between the US and European approaches are
given in chronological order.
Although Europe is usually seen as a unity by people from outside the Union, this
may not be the case inside it. A weakness in security coming to light by an event
somewhere in an EU MS might be explained as a weakness in the whole EU. One
can question whether a more centralized methodical approach with respect to the
presence of hazardous materials, as developed in the US, would not increase overall
effectiveness.

Tab. 2.5: Summary of similarities and differences in US and EU legislation in chronological order
with respect to critical infrastructure protection with emphasis on process/chemical plants

Period U.S. E.U.

< 2001 Early recognition by President Clinton in Before the 2001 WTC attack EU legislation with
1998 that critical infrastructure protec- respect to safety had been fully developed, e.g.,
tion deserves attention due to growing Seveso Directives, but no common regulation
complexity, interdependence, and pertained to protection of critical assets. In
vulnerability to various kinds of threats. general, security was kept by Member States at
Critical infrastructure was defined as national level.
those physical and cyberbased systems
essential to the minimum operations of
the economy and government. A number
of sectors were distinguished and an
organizational structure founded in order
to realize coordination and a warning
communication network.

2002– Immediately after the terrorist attack In 2004 the European Commission on request
2006 on the WTC buildings, under President of the Council started working on a European
Bush federal legislation was issued to Programme of Critical Infrastructure Protection
found in 2002 the Federal Department of (EPCIP). This was presented in 2006 with 11
Homeland Security reshuffling ministerial sectors and a proposal for a directive. The
structure and responsibilities to more proposal content character was much like that
effectively counter threats. In 2006 DHS of the Clinton Presidential Policy Directive.
issued its first National Infrastructure
Protection Plan.

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
26 2 American legislation and regulatory measures: a lesson for Europe?

Tab. 2.5: (continued) Summary of similarities and differences in US and EU legislation in chronologi-
cal order with respect to critical infrastructure protection with emphasis on process/chemical plants

Period U.S. E.U.

2007– First actions focused on the transporta- Despite the the proposed Directive, after all,
2009 tion security of hazardous materials in the Member States wanted to retain their
the various modes of transport: maritime, sovereignty in securing their own territory.
road, rail, pipeline, and air. Already The EPCIP became limited to transnational
before the general awareness of CriticaL hazards, i.e., disruption of border crossing
Infrastructure Protection (CIP), security energy transmission or hazard effects from
of nuclear materials had been with the plants in the border area. The European
Department of Energy. To obtain the Commission still has a role in stimulating
desired communication and coordination and enabling coordination and communica-
between departments Department of tion. It can act as a higher authority in case a
Homeland Security obtained the lead. Member state does not fullfil its obligation in
Several Memorandums of Understanding the framework of EPCIP, it also inspects and
were needed to obtain effective working advises, and it funds R&D.
procedures.

2010– Recognizing the threat of terrorist act to Besides implementing the 2008 EPCIP most
2012 process plant and chemical installations in Member States strengthened security measures
particular to unleash damage threatening on a national basis. EPCIP does not mention
population, and the strategic supply of process or chemical industry explicitly. A
materials, and to steal hazardous chemi- number of countries, such as UK and The
cals, in 2006 the Chemical Facility Anti-Ter- Netherlands embarked at about the same time
rorism Standards (CFATS) Act was issued. on a program to identify all risks of disaster to
This act obliges plant owners to have their the country in which critical infrastructure and
installation classified with respect to risk terroristic threat were included. Chemical risks
and vulnerability in four tiers, and to have is part of it. This was to locate vulnerabilities
minimum protection measures installed, and to plan, given the budget, preventive and
became operational in 2009 by the issue of protective measures including emergency
a guidance document. Further instructions response. To that end an overall risk matrix was
followed in 2011. constructed

2013– Under President Obama the chosen In 2013 a new approach to EPCIP appeared
2016 directions were further extended and the proposing that the Commission should give
number of critical infrastructure sectors support with respect to prevention (by risk
increased to 16. The cyber threat became assessment and management), to prepared-
stronger during this period, e.g., by ness strengthening (contingency planning,
STUXNET type viruses. The execution of stress tests, awareness raising, training,
CFATS gradually took further shape and an joint courses, exercises, and staff exchange),
acceleration of the execution in the tier 3 and response to weak signals. In the same
and 4 installations was realized. year the Critical Infrastructure Warning
Information Network (CIWIN) became opera-
tional. No change was made with respect to
chemical plants.

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
 References 27

Acknowledgment

The suggestions made with regard to the draft of this chapter by David A. Moore, PE,
CSP of AcuTech consultants are highly appreciated.

References

References accessed July 2016

[1] Presidential Decision Directive/NSC-63. The White House Washington. May 22, 1998. http://
fas.org/irp/offdocs/pdd/pdd-63.htm.
[2] Homeland Security Presidential Directive-1. October 29, 2001. https://fas.org/irp/offdocs/
nspd/hspd-1.pdf.
[3] Critical Infrastructures Protection Act of 2001. 42 U. S. Code § 5195c – Critical Infrastructures
Protection. https://www.law.cornell.edu/uscode/text/42/5195c.
[4] Homeland Security Act of 2002. Public Law 107–296—Nov 25, 2002. 116 Stat 2135. https://
www.dhs.gov/xlibrary/assets/hr_5005_enr.pdf .
[5] Commission of the European Communities, Green Paper on A European Programme for
Critical Infrastructure Protection (presented by the Commission). Brussels. Nov 11, 2005.
COM(2005) 576 final. https://marcusviniciusreis.files.wordpress.com/2010/06/european-pro-
grame-to-protect-ci.pdf.
[6] Communication from the Commission of December 12, 2006 on a European Programme for
Critical Infrastructure Protection [COM(2006) 786 final – Official Journal C 126 of 7. 6. 2007].
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52006DC0786.
[7] Council Directive 2008/114/EC of December 8, 2008 on the Identification and Designation of
European Critical Infrastructures and the Assessment of the Need to Improve Their Protection.
Official Journal of the European Union. December 23, 2008. L 345/75. http://geur-lex.europa.
eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:345:0075:0082:EN:PDF.
[8] Lazari A. European critical infrastructure protection. Heidelberg: Springer (eBook).
[9] Bucci S, Inserra D. The Heritage Foundation. Issue Brief, No. 4072 October 23, 2013. http://
thf_media.s3.amazonaws.com/2013/pdf/IB4072.pdf
[10] Department of Homeland Security. National Infrastructure Protection Plan – NIPP 2013.
Partnering for Critical Infrastructure Security and Resilience. https://www.dhs.gov/publication/
nipp-2013-partnering-critical-infrastructure-security-and-resilience.
[11] Title 6 – Domestic Security, Chapter 1 – Department of Homeland Security. Office of the
Secretary Part 27 – Chemical Facility Anti-Terrorism Standards. April, 2007. https://www.gpo.
gov/fdsys/pkg/CFR-2007-title6-vol1/pdf/CFR-2007-title6-vol1.pdf.
[12] Presidential Policy Directive/PPD-21, Critical Infrastructure Security and Resilience. https://
www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infra-
structure-security-and-resil.
[13] The CIP Report. Center for Infrastructure Protection and Homeland Security. June 2015. http://
cip.gmu.edu/wp-content/uploads/2013/06/155_The-CIP-Report-June-2015_EnergySector.pdf
[14] Implementation of Department of Energy Oversight Policy, Order 226.1B. Department of Energy,
Washington, DC. April 4, 2011. https://www.directives.doe.gov/directives-documents/200-se-
ries/0226.1-BOrder-b.
[15] Independent Oversight Program, Order 227.1A. Department of Energy. Washington, DC.
December 21, 2015. https://www.directives.doe.gov/directives-documents/200-se-
ries/0227.1-BOrder-A.

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
28 2 American legislation and regulatory measures: a lesson for Europe?

[16] Office of Enterprise Assessments, Independent Oversight Program, Appraisal Process

Protocols. US Department of Energy. December 2015. http://energy.gov/ea/downloads/
appraisal-process-protocols-independent-oversight-december-2015.
[17] Office of Enterprise Assessments, FY 2015 Independent Oversight Activities Overview, Report
to Congress, October 2015. United States Department of Energy. Washington, DC 20585.
http://energy.gov/sites/prod/files/2016/01/f28/2015 %20Annual%20Report%20to%20
Congress%20 %28Final%29.pdf.
[18] Statement of Patricia Hoffman Assistant Secretary for Electricity Delivery and Energy Reliability
U. S. Department of Energy Before the United States House of Representatives. Appropriations
Subcommittee on Energy and Water Development. March 17, 2015. http://energy.gov/sites/
prod/files/2015/07/f25/FY2016Budget-HEWD-testimony-3–17-15-OE-FINAL.pdf.
[19] Title XXI – Chemical Facility Anti–Terrorism Standards, Public Law 113–254. December 18, 2014.
128 STAT. 2898. https://www.congress.gov/113/plaws/publ254/PLAW-113publ254.pdf.
[20] Presidential Documents, Executive Order 13650 of August 1, 2013. Improving Chemical Facility
Safety and Security, Federal Register /Vol. 78, No. 152 /Wednesday, August 7, 2013, 48029.
[21] U. S. Chemical Safety and Hazard Investigation Board. Investigation Report (final) West
Fertilizer Company Fire and Explosion, Texas, April 17, 2013. Report 2013–02-I-TX. January
2016. http://www.csb.gov/.
[22] U. S. Department of Homeland Security. 6 CFR Part 27. Chemical Facility Anti-Terrorism
Standards. Federal Register/Vol 72, No 67/Monday, April 9, 2007/Rules and Regulations,
17688. http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title06/6cfr27_main_02.tpl.
[23] U. S. Department of Homeland Security. Risk-Based Performance Standards Guidance,
Chemical Facility Anti-Terrorism Standards. May 2009. https://www.dhs.gov/chemical-facili-
ty-anti-terrorism-standards.
[24] U. S. Department of Homeland Security. CSAT Security Vulnerability Assessment, Questions.
June 2008. Version 1.0, OMB PRA # 1670–0007. https://www.dhs.gov/chemical-security-as-
sessment-tool.
[25] U. S. Department of Homeland Security. CSAT Security Vulnerability Assessment Application,
Instructions. January 3, 2011. Version 2.1. https://www.dhs.gov/chemical-security-assess-
ment-tool.
[26] US Department of Homeland Security. CSAT Site Security Plan, Questions. June 2011. Version 2.
https://www.dhs.gov/chemical-security-assessment-tool.
[27] U. S. Department of Homeland Security. CSAT Site Security Plan, Instructions. May 2009.
Version 1.0. https://www.dhs.gov/chemical-security-assessment-tool.
[28] U. S. Department of Homeland Security. Chemical Sector Security Awareness Guide. A
Guide for Owners, Operators, and Chemical Supply-Chain Professionals. September 2012.
https://www.dhs.gov/sites/default/files/publications/DHS-Chemical-Sector-Securi-
ty-Guide-Sept-2012–508.pdf.
[29] Shea DA. Implementation of chemical facility anti-terrorism standards (CFATS): issues for
Congress. Congressional Research Service. April 2014. 7–5700. www.crs.gov R43346.
[30] U. S. Department of Homeland Security. DHS Guidance for the Expedited Approval
Program. https://www.dhs.gov/sites/default/files/publications/DHS-EAP-Guidance-
Document-05–15-508.pdf.
[31] Maritime Transportation Security Act of 2002. Public Law 107–295. November 25, 2002. 116
Stat. 2064. https://www.gpo.gov/fdsys/pkg/PLAW-107publ295/pdf/PLAW-107publ295.pdf.
[32] 33 CFR Chapter 1. Sub-Chapter H – Maritime Security. http://www.ecfr.gov/cgi-bin/
text-idx?tpl=/ecfrbrowse/Title.
[33] Homeland Security Presidential Directive No. 7. December 17, 2003. Critical Infrastructure
Identification, Prioritization and Protection (HSPD-7). https://www.dhs.gov/homeland-securi-
ty-presidential-directive-7.

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
 References 29

[34] Annex to the Memorandum of Understanding between the Department of Homeland Security,
and the Department of Transportation concerning Transportation Security Administration
and Pipeline and Hazardous Materials Safety Administration Cooperation on Pipeline and
Hazardous Materials Transportation Security. http://www.phmsa.dot.gov/staticfiles/PHMSA/
DownloadableFiles/Annex%20to%20MOU%20between%20TSA-PHMSA.PDF.
[35] Memorandum of Understanding among the Department of Homeland Security, the Department
of Transportation, the U. S. Nuclear Regulatory Commission Concerning Cooperation on
Radioactive Materials Transportation Security. Last signature 2015. http://pbadupws.nrc.gov/
docs/ML1505/ML15057A336.pdf.
[36] 49 CFR Transportation. http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/
Title49/49tab_02.tpl.
[37] Commission of the European Communities. Green Paper on a European Programme Critical
Infrastructure Protection. Brussels, November 17, 2005. COM(2005) 576 final. https://marcusvi-
niciusreis.files.wordpress.com/2010/06/european-programe-to-protect-ci.pdf.
[38] Commission of the European Communities. Communication from the Commission on a
European Programme Critical Infrastructure Protection. COM(2006) 786 final. December 12,
2006. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2006:0786:FIN:EN:PDF.
[39] Press Conference Release. The European Programme for Critical Infrastructure Protection
(EPCIP), MEMO/06/477. Brussels. December 12, 2006. http://europa.eu/rapid/press-release_
MEMO-06–477_en.htm.
[40] Council Directive 2008/114/EC of 8 December 2008. On the Identification and Designation of
European Critical Infrastructures and the Assessment of the Need to Improve Their Protection.
December 23, 2008. EN Official Journal of the European Union. L 345/75. http://eur-lex.europa.
eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:345:0075:0082:EN:PDF.
[41] European Commission. Commission Staff Working Document on the Review of the European
Programme for Critical Infrastructure (EPCIP). Brussels. June 22, 2012. SWD(2012) 190 final.
http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/crisis-and-terrorism/critical-infra-
structure/index_en.htm.
[42] European Commission: Commission Staff Working Document on a New Approach to the
European Programme for Critical Infrastructure Protection. Making European Critical
Infrastructures More Secure. Brussels. August 28, 2013. SWD(2013) 318 final,. http://
ec.europa.eu/dgs/home-affairs/what-we-do/policies/crisis-and-terrorism/critical-infra-
structure/index_en.htm.
[43] Communication from the Commission to the European Parliament, the Council, the European
Economic and Social Committee and the Committee of the Regions on Critical Information
Infrastructure Protection. Protecting Europe from Large Scale Cyber-Attacks and Disruptions:
Enhancing Preparedness, Security and Resilience. Brussels. March 30, 2009. COM(2009) 149
final. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN:EN:PDF.
[44] Hämmerli B, Renda A. Protecting Critical Infrastructure in the EU. CEPS Task Force Report.
Centre for European Policy Studies, Brussels. © CEPS 2010. https://www.ceps.eu/
publications/protecting-critical-infrastructure-eu.
[45] Directive 2005/65/EC of the European Parliament and of the Council, of 26 October 2005 on
Enhancing Port Security. L 310/28 EN Official Journal of the European Union. November 25,
2005. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32005L0065&rid=1.
[46] Loi relative à la sécurité et la protection des infrastructures critiques – Wet
betreffende de beveiliging en de bescherming van de kritieke infrastructuren. July
1, 2011. English translation http://www.microsofttranslator.com/bv.aspx?ref=SER-
P&br=ro&mkt=nl-NL&dl=en&lp=NL_EN&a=http%3a%2f%2fwww.ejustice.just.fgov.
be%2fcgi_loi%2floi_a1.pl%3flanguage%3dnl%26la%3dN%26cn%3d2011070108 %26table_
name%3dwet%26 %26caller%3dlist%26fromtab%3dwet%26tri%3ddd%2bAS%2bRANK.

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM
30 2 American legislation and regulatory measures: a lesson for Europe?

[47] Besluit instelling van het Strategisch Overleg Vitale Infrastructuur (Instellingsbesluit SOVI),
geldend van 28–04-2006 t/m heden. http://wetten.overheid.nl/BWBR0019781/2006–04-28.
[48] National Security Advisory Centre (NL: Adviescentrum BVI). The Hague, The Netherlands. http://
www.nsac.eu/default.htm.
[49] Wijzigingswet Havenbeveiligingswet (implementatie richtlijn nr. 2005/65/EG betreffende
verhogen veiligheid van havens), geldend van 01–10-2010 t/m heden. http://wetten.overheid.
nl/BWBR0016991/2010–10-01.
[50] Tweede Kamer der Staten-Generaal, Vergaderjaar 2006–2007. 30821 Nationale Veiligheid.
Brief van de Minister van Binnenlandse Zaken en Koninkrijkrelaties aan de Voorzitter van de
Tweede Kamer der Staten-Generaal, Den Haag. October 2, 2006. KST101379, 0607tkkst30821,-1
ISSN 0921 – 737. Sdu Uitgevers, ‘s-Gravenhage 2006. https://zoek.officielebekendmakingen.
nl/kst-30821–3.pdf.
[51] Handreiking Regionaal Risicoprofiel, Politie, NVBR, GHOR, Coördinerend Gemeentesec-
retarissen. 5 November, 2009 (EN: Guideline Regional Risk Profile – Police, Fire Brigade
Organization, Regional Medical Organization, Coordinating Municipal Secretaries). http://www.
regionaalrisicoprofiel.nl/algemene_onderdelen/downloads/handreiking/.
[52] Nationaal Veiligheidsprofiel 2016. Een All Hazard overzicht van potentiële rampen en
dreigingen die onze samenleving kunnen ontwrichten. Analistennetwerk Nationale Veiligheid,
© RIVM 2016 (National Safety and Security Profile 2016. An All Hazard Overview of Potential
Disasters and Threats Potentially Able to Disrupt Society. Analyst Network National Safety and
Security). https://zoek.officielebekendmakingen.nl/blg-793151.pdf.
[53] Wet van 11 februari 2010. Houdende bepalingen over de brandweerzorg, de rampenbestrijding,
de crisisbeheersing en de geneeskundige hulpverlening (Wet veiligheidsregio’s), geldend van
01–01-2016 t/m heden. http://wetten.overheid.nl/BWBR0027466/2016–01-01.
[54] Mededeling inzake de implementatie van richtlijn 2008/114/EG. Staatscourant Nr. 20996.
December 24, 2010. https://zoek.officielebekendmakingen.nl/stcrt-2010–20996.
html?zoekcriteria=%3fzkt%3dUitgebreid%26pst%3dStaatscourant%26dpr%3dAnderePe-
riode%26spd%3d20101224 %26epd%3d20160717 %26nrp%3d%252020996 %26sdt%3-
dDatumPublicatie%26planId%3d%26pnr%3d1 %26rpp%3d10&resultIndex=6&sort-
type=1&sortorder=4.

Brought to you by | UCL - University College London

Authenticated
Download Date | 12/28/17 6:31 PM