Have you participated in a vulnerability assessment yet? If not, chances are you will. Federal, state, and local laws are mandating this assessment for a variety of EHS processes and activities since 9/11. More requirements are expected.

Many employers have been caught off-guard with the fast pace of new requirements and recommendations to address terrorist threats.

Safety/health pros need to keep alert to how new requirements may impact their role.

What is it?

"Vulnerability assessment" is primarily a security term that gained popular use as a method to assess network security against cyber attacks and hackers. The term has taken on expanded meaning since 9/11. Now it includes assessments to address terrorist threats against targets such as community water supplies or chemical facilities, or use of hazardous materials as weapons of convenience (WC) or weapons of mass destruction (WMD) against any target. Assessments are used to develop security plans and emergency response plans.

Vulnerability assessments can be used for good or evil. Good people use a vulnerability assessment to hinder or stop bad people from doing destructive things. Bad people use a vulnerability assessment to wreak havoc on good, but generally unprepared, people. Think like a terrorist to get the most benefit from your vulnerability assessment.

Legal mandates

The legal basis for requiring vulnerability assessments primarily comes from new federal laws including:

  • Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATROIT) Act of 2001;
  • Homeland Security Act of 2002;
  • Public Health Security and Bioterrorism Preparedness and Response Act of 2002; and,
  • Agricultural Bioterrorism Protection Act of 2002.

Older laws may also form the legal basis for including vulnerability assessments in existing rules, such as OSHA's process safety management and EPA's risk management plan. New Jersey, Contra Costa County, Calif., and Baltimore, Md., have recently passed laws requiring businesses to conduct vulnerability assessments involving terrorist concerns.

Who's covered?

Vulnerability assessments will impact many employers and employees. Examples include approximately 44,000 hazmat shippers and all hazmat employees; employees of community water systems serving more than 3,300 people; academic institutions, biomedical centers, clinical and diagnostic laboratories, and research facilities having select agents or toxins; and (although not mandated yet) the approximately 15,000 chemical facilities and employees subject to OSHA's PSM and EPA's RMP.

Hazmat example

Domestic and international security agencies have credible evidence that terrorists plan to use hazardous materials as WC or WMD against U.S. targets. The FBI, for example, disclosed in June 2002 that captured al Qaeda fighters acknowledged that terrorists might use fuel tanker trucks to attack Jewish schools or synagogues. And given that there are about 800,000 daily hazmat shipments in the U.S., hazardous materials may become a convenient weapon.

The USA PATROIT Act of 2001 formed the legal basis for the Department of Transportation to develop the HM-232 final rule mandating a vulnerability assessment for the security plan required of a shipper or carrier of a hazardous material requiring placarding and to select agents (see 49 CFR part 172.800). The DOT's deadline for developing an initial hazmat security plan expired September 25, 2003. DOT expects that most hazmat security plans will be updated at least annually as new information becomes available.

Numerical ranking

According to DOT, a vulnerability assessment is the first step in developing an effective security plan. DOT includes a vulnerability assessment methodology (under prevention tools) with its HMT security training module at (http://hazmat.dot.gov/hmt_security.htm). The methodology includes ranking hazardous materials from 1 (most) through 5 (least) in categories of "hazardous" and "exposure."

In the hazardous category, the assessor considers chemical properties such as flammability, explosiveness, toxicity, vapor pressure, reactivity and corrosivity. The exposure category includes conditions such as predictability of shipments, proximity to public events, volume, population densities, trip distances, and environmental conditions.

The number for each category is added together to establish a final ranking for each hazardous material stored or shipped, with the lower numbers, particularly 3 or less, being given priority attention.

Other vulnerability assessment methodologies exist for DOT objectives. For example, the American Trucking Association expands upon DOT's vulnerability assessment methodology by providing more categories to numerically rank. Using American Trucking Association's methodology, a numerical rank above 700 is a "normal situation" and a rank below 300 is an "extreme situation."

Safety/health involvement

Although security professionals should take the lead in developing vulnerability assessments, a safety/health pro should be involved whenever the assessment includes hazardous materials. Vulnerability assessments involve considerable subjectivity. Who is to say whether a hazardous material such as propane should be ranked a 1 or 5 in DOT's vulnerability assessment methodology hazardous category?

During the public comment period prior to the HM-232 final rule, a commenter requested an exception for propane because "propane should not be considered a weapon of mass destruction" due to its narrow range of flammability and tendency to disperse rapidly if released. DOT rejected the requested exception, after explaining how the chemical properties of propane could be made to produce a WMD. Safety/health pros have the knowledge and experience to predict whether an intentionally released chemical(s) could be used to create an emergency or produce a catastrophic event.

Employee involvement/training

All hazmat employees are required to be trained on security awareness no later than March 24, 2006 (some employees require the training much sooner). Hazmat employees covered under the requirement for a security plan must be trained in the plan's specifics by December 22, 2003, and then be periodically retrained.

As demonstrated in DOT's online HMT security training module, the vulnerability assessment may be an essential component of the training. From my experience, hazmat employees who have viewed DOT's security awareness training materials have many questions. A safety/health pro must recognize that answers to these questions must be generic and avoid specific information that may be intentionally or unintentionally misused.

Differing vulnerability assessments

Safety/health pros will find many different methodologies for conducting vulnerability assessments. DOT's methodology was shown here and you may readily find online other vulnerability assessment methodologies such as the Department of Justice's "A Method to Assess the Vulnerability of U.S. Chemical Facilities (published November 2002). Which should you use? Or should you develop your own?

Regardless of what you decide, keep the decision confidential among highly trusted sources within your organization. Why? Both good and devious people use vulnerability assessments. The more an ill-intentioned person knows about how your organization performs a vulnerability assessment, the better able he is to spot and take advantage of your organization's vulnerabilities.