Be Part of the Ultimate Safety & Compliance Community
Trending news, knowledge-building content, and more – all personalized to you!
Companies should prioritize facility security to keep employees, contractors, visitors, and assets safe. Employers are accountable for the safety of the people on their sites, as well as the sites themselves and their contents. A company should be aware of security risks at its facilities and take steps to keep the facilities secure, such as controlling access, securing and monitoring points of entry, and establishing and providing effective training on clear security policies.
Companies are accountable for the safety of those on their sites. That means they are accountable for all employees, contractors, and visitors on the property as well as the property itself.
Customers and employees want to know an organization’s commitment to safe and secure facilities. To start, a company should be aware of security risks faced at its facilities. Then employers can take several steps to keep a facility secure such as:
Most companies have certain areas to which access must be controlled, limited, or restricted to protect employees and the contents of those areas.
Whether the business is a small operation with limited resources or a large, multi-state company, it needs to examine the security of its buildings, facilities, and vehicles. Companies should develop a written security plan to control access points and secure the perimeter of the facility.
The complexity of the plan depends on the nature of the company’s operations. It may require hiring more personnel, installing new locks and surveillance equipment, implementing new security procedures for visitors, or even making changes to the facility’s physical layout.
Evaluate the facility
A security plan starts with an evaluation of the physical facility, its operations, its level of risk, and its current state of security. Ask some basic questions about the operation to determine the level of security necessary. Don’t consider the cost until deciding what is needed. Questions to ask include:
Security systems
The security system that’s right for a given business will be unique to that specific operation. Consider hiring a professional to conduct the evaluation-and-needs assessment, then get proposals from several sources.
Security systems come in all shapes and sizes. If proposals are obtained from outside sources, the proposals may differ significantly in options and costs. For example, a security system for access points might:
Ideally, if the budget allows, a security presence should be in place 24 hours a day, seven days a week. Guards should monitor facility operations, control exits and entrances (including ID checks), check shipment documentation, and conduct periodic inspections of outbound and inbound vehicles.
Roaming, irregular, staggered security patrols should monitor the entire facility, especially when closed (nights, weekends, and holidays). Make sure local law enforcement personnel are familiar with the facility and include it in patrolling. Develop a close relationship with local law enforcement as these officers likely will be the first to respond in an emergency.
Every security system has vulnerabilities, but steps can be taken and procedures can be developed to prevent those vulnerabilities from leading to losses or disasters.
Access to critical records and files
From drug and alcohol policy documents to financial records, every company has valuable or confidential files that need to be kept secure. Companies should:
Any visitor, vendor, supplier, contractor, or other person who temporarily enters a facility could be a security risk. Though controlling exactly who can enter the facility may be a daunting task, steps can be taken to help reduce risk. The employer is also accountable for these visitors in an emergency. Employers should know who is in their buildings and where to find them should an emergency arise.
Restrict visiting
First, no matter the size of the operation, businesses should develop and enforce a restricted visiting policy. Visitors and other non-employees should only be allowed to enter the facility when necessary, and all visitors should be required to register at a designated visitor entrance before being allowed to move about the facility.
Though employees may think such a policy is an undue restriction, the management of the organization should instruct all employees on its importance to them and the company’s overall safety and security.
Procedures for visitors
Consider taking the following steps, depending on the level of security required, before allowing a visitor to proceed into a facility:
Despite the best efforts at keeping unauthorized people out, a company can never afford to let its guard down on the inside. Train all employees to take notice of and report suspicious activities and people. For example, employees should be wary of people who are:
Pay particular attention to custodial/janitorial personnel and repair workers. People in these positions may be the least-well-screened personnel at the facility, but may have the most access and tend to generate little suspicion. If possible, develop a rigid screening process for such persons. If custodial/janitorial personnel and repair workers are not permanent employees of the company, they should be treated like other visitors and be escorted and observed.
Once visitors and other outside personnel leave, make sure ID badges are returned and indicate on the record that the individuals have left the facility.
When it comes to protecting a physical facility from intruders, don’t develop a false sense of security just because there is a fence, security camera, or good lighting. One or two security measures are not going to totally protect any company. It takes an integrated system of defenses to prevent unauthorized persons from entering the facility and causing damage and/or leaving with valuable materials.
Facility layout and condition
The best defense starts with the physical layout and condition of the facility. An organization may need to make physical modifications to its facility to truly protect it. Questions to ask include:
The criminal mind can devise sinister, unconsidered methods to accomplish a task. Make sure employees are trained to report suspicious activity or security lapses, and encourage them to offer suggestions for security improvements.
After basic perimeter security, a doorway may be the next best defense against an intruder. In the case of a smaller company, a securely locked door may be the only defense. It’s critical that all entrances and exit gates and doors are secured when not in use.
Maintenance
Make sure all gates and doors are structurally sound, locks are substantial enough to prevent unauthorized entry, and latches close securely. If an entrance needs maintenance, have it done as soon as possible.
A company should examine all doors and replace parts or entire doors if the items provide inadequate protection. A door is only as strong as its composition and points of attachment (i.e., what it’s made of and the strength of locks and hinges).
Generally, an intruder hoping to break through a door will start with the locks, but then may move to the hinges, glass panels, or other areas of the door. Doors with significant amounts of glass should be equipped with additional security measures such as an alarm system, steel bars, or wire mesh, or should be under constant guard. Hollow-core or paneled doors should be reinforced, perhaps with a steel plate inside.
Clean and lubricate doors and adjust them as necessary (remember that wooden doors may change shape with the seasons).
Restricting entry
Never allow just anyone into a building. It is good company policy to require each employee to use that worker’s own ID to enter the building. If possible, IDs should have the employee’s picture, name, and department or function, but remember that it’s relatively easy to fake an ID.
Businesses should have a written policy that includes immediate reporting of lost or stolen security badges or IDs, because most automated systems are unable to tell if the person entering the building is the same one originally issued the ID.
Instruct employees not to hold the doors open for others unless the employee knows the person and the person is a current employee. All visitors should be instructed to use a designated visitor entrance.
Employees, too, should be restricted to designated employee entrances and exits. Emergency exits should only be used in an emergency.
To control who enters the facility, install a security checkpoint, either with personnel or automated. At a minimum, companies should consider a security guard or receptionist at the door screening those who enter the building, or a device that automatically scans employee ID cards or badges and only unlocks the door for authorized personnel.
Establish set hours during which employees may enter the building(s). If access is necessary after hours, employees should be instructed to contact a security guard who can screen the employee and provide access if authorized. If an automated access card system is in place, program the cards to limit access during non-business hours.
Check all windows for security risks. After doors, windows are the easiest way into a building. A window that is easily reached with a ladder, is large enough for a person to crawl through, or could allow someone to reach and open a lock should be considered vulnerable.
Does the facility have windows that can be opened? If so, there is always the chance that one will be left unlocked, or that an intruder could force open the window lock. Evaluate and reinforce the locks if necessary, and make sure employees are closing and locking windows.
Consider installing alarms on windows located on the first and second floors of each building.
If there are window air-conditioners, make sure the units can’t be removed from the outside.
Perimeter walk-around procedures
A periodic walk-around or audit of the external areas of the facility and surrounding grounds will provide a lot of useful information, keeping the company in tune with facility security and highlighting any security gaps.
How often a company conducts security self-audits — whether weekly, monthly, or quarterly — depends on the size of the operation and its relative level of risk. The assessment should be done under varying light conditions (a burned-out light bulb would be invisible during daylight hours, just as a hole in a fence may not be visible at night). These are some questions to ask during the audit:
Remember to obtain employee input, too, since employees are closest to the issues and might be able to alert management to security concerns that go unnoticed during a walk-around audit.
The best locks in the world don’t provide much protection against someone who has a key. First and foremost, entrance security depends on key control. All companies should have a facility-wide key control system that ensures the security of keys, access cards, combinations, key-making equipment, key codes, etc.
The security office or another secure location should be used to store all spare keys, access cards, and other lock-related equipment or information. Personnel who work in those areas should have limited access to equipment and information. Do not store combinations or other lock information on a computer. Conduct periodic inventories and inspections to make sure nothing has been stolen or misplaced.
Other security measures include:
Technology is always changing, and that can mean more security and information-gathering ability for a (sometimes) cheaper price. Lock and security-device manufacturers are adding more and more computer circuitry into products, allowing unprecedented control over who can enter a locked area, when, and how often. These high-tech access control systems are becoming increasingly common in both home and business applications.
It’s a good idea to stay abreast of changes in security technology. Consider the following:
In the future, more and more locks will employ cutting-edge technology including fingerprint, eye, and voice recognition.
Terrorism, according to the Federal Bureau of Investigation (FBI), is the calculated use of unlawful force or violence, or the threat of unlawful force or violence, against person(s) or property for purposes of intimidation, coercion, or ransom in the pursuit of goals that are generally political, religious, or ideological.
Terrorist incidents are not emergencies that the Occupational Safety and Health Administration (OSHA) expects an employer to reasonably anticipate. However, if a terrorist incident does occur in or near one’s workplace, an effective evacuation plan increases the likelihood that the employees will reach shelter safely.
Terrorists typically plan attacks to obtain the greatest publicity, choosing targets that symbolize what they oppose. The effectiveness of the terrorist act lies not in the act itself, but in the public or government reaction to the act.
A terrorist attack can take several forms, depending upon technology available to the terrorist, the nature of the issue motivating the attack, and the target’s points of weakness. While bombings are the most common method, other possibilities include attacking transportation facilities, utilities, banking and financial targets, landmarks, and national treasures, as well as attacks on public services.
Terrorist weapons can include use of explosives, kidnappings, hijackings, arson, killings and assassinations, and cyberattacks designed to slow down or destroy computer networks. Terrorist weapons could also include “weapons of mass destruction� (WMD), defined as biological or chemical agents; and atomic or radioactive “dirty� bombs designed to cause massive casualties in civilian populations.
Since terrorism can impact employers and workers, OSHA works with other federal agencies including the Federal Emergency Management Agency (FEMA), the U.S. Environmental Protection Agency (EPA), the U.S. Soldier Biological and Chemical Command (SBCCOM), the Centers for Disease Control and Prevention (CDC), and within CDC, the National Institute for Occupational Safety and Health (NIOSH).
Chemical facilities, even with very low volumes, are under particular scrutiny, as their operations are considered especially vulnerable to threats.
Because of the increased threat, chemical facilities need to focus on preventing terrorist, criminal, and cyberattacks. Such attacks could have significant national impact (e.g., through the loss of chemicals vital to the national defense or economy). They also could cause releases of hazardous chemicals that might compromise the facility’s integrity, cause serious injuries or fatalities among employees, contaminate adjoining areas, or cause injuries or fatalities among adjoining populations.
For many facilities, compliance with existing regulations led to changes in operations that reduced risk and increased security. Facilities have been able to identify and reduce the chemicals of greatest concern at their facilities. For companies not previously affected by security-related regulations, existing regulations and guidance provide a solid starting point for evaluating processes and implementing changes to improve security.
Chemical facilities that have more than 300 chemicals of interest listed in in Appendix A of the Chemical Facility Anti-Terrorism Standards (CFATS) regulation (6 CFR Part 27) are required to report to the Cybersecurity and Infrastructure Security Agency (CISA) as part of the Chemical Facility Anti-Terrorism Standards (CFATS).
Facilities that have certain amounts of chemicals of interest must meet additional requirements and complete surveys to rank their risk level. Companies that meet the high-risk thresholds are required to have a site security plan.
Whether the business is a small operation with limited resources or a large, multi-state company, it needs to examine the security of its buildings, facilities, and vehicles. Companies should develop a written security plan to control access points and secure the perimeter of the facility.
The complexity of the plan depends on the nature of the company’s operations. It may require hiring more personnel, installing new locks and surveillance equipment, implementing new security procedures for visitors, or even making changes to the facility’s physical layout.
Evaluate the facility
A security plan starts with an evaluation of the physical facility, its operations, its level of risk, and its current state of security. Ask some basic questions about the operation to determine the level of security necessary. Don’t consider the cost until deciding what is needed. Questions to ask include:
Security systems
The security system that’s right for a given business will be unique to that specific operation. Consider hiring a professional to conduct the evaluation-and-needs assessment, then get proposals from several sources.
Security systems come in all shapes and sizes. If proposals are obtained from outside sources, the proposals may differ significantly in options and costs. For example, a security system for access points might:
Ideally, if the budget allows, a security presence should be in place 24 hours a day, seven days a week. Guards should monitor facility operations, control exits and entrances (including ID checks), check shipment documentation, and conduct periodic inspections of outbound and inbound vehicles.
Roaming, irregular, staggered security patrols should monitor the entire facility, especially when closed (nights, weekends, and holidays). Make sure local law enforcement personnel are familiar with the facility and include it in patrolling. Develop a close relationship with local law enforcement as these officers likely will be the first to respond in an emergency.
Every security system has vulnerabilities, but steps can be taken and procedures can be developed to prevent those vulnerabilities from leading to losses or disasters.
Access to critical records and files
From drug and alcohol policy documents to financial records, every company has valuable or confidential files that need to be kept secure. Companies should:
Any visitor, vendor, supplier, contractor, or other person who temporarily enters a facility could be a security risk. Though controlling exactly who can enter the facility may be a daunting task, steps can be taken to help reduce risk. The employer is also accountable for these visitors in an emergency. Employers should know who is in their buildings and where to find them should an emergency arise.
Restrict visiting
First, no matter the size of the operation, businesses should develop and enforce a restricted visiting policy. Visitors and other non-employees should only be allowed to enter the facility when necessary, and all visitors should be required to register at a designated visitor entrance before being allowed to move about the facility.
Though employees may think such a policy is an undue restriction, the management of the organization should instruct all employees on its importance to them and the company’s overall safety and security.
Procedures for visitors
Consider taking the following steps, depending on the level of security required, before allowing a visitor to proceed into a facility:
Despite the best efforts at keeping unauthorized people out, a company can never afford to let its guard down on the inside. Train all employees to take notice of and report suspicious activities and people. For example, employees should be wary of people who are:
Pay particular attention to custodial/janitorial personnel and repair workers. People in these positions may be the least-well-screened personnel at the facility, but may have the most access and tend to generate little suspicion. If possible, develop a rigid screening process for such persons. If custodial/janitorial personnel and repair workers are not permanent employees of the company, they should be treated like other visitors and be escorted and observed.
Once visitors and other outside personnel leave, make sure ID badges are returned and indicate on the record that the individuals have left the facility.
Any visitor, vendor, supplier, contractor, or other person who temporarily enters a facility could be a security risk. Though controlling exactly who can enter the facility may be a daunting task, steps can be taken to help reduce risk. The employer is also accountable for these visitors in an emergency. Employers should know who is in their buildings and where to find them should an emergency arise.
Restrict visiting
First, no matter the size of the operation, businesses should develop and enforce a restricted visiting policy. Visitors and other non-employees should only be allowed to enter the facility when necessary, and all visitors should be required to register at a designated visitor entrance before being allowed to move about the facility.
Though employees may think such a policy is an undue restriction, the management of the organization should instruct all employees on its importance to them and the company’s overall safety and security.
Procedures for visitors
Consider taking the following steps, depending on the level of security required, before allowing a visitor to proceed into a facility:
Despite the best efforts at keeping unauthorized people out, a company can never afford to let its guard down on the inside. Train all employees to take notice of and report suspicious activities and people. For example, employees should be wary of people who are:
Pay particular attention to custodial/janitorial personnel and repair workers. People in these positions may be the least-well-screened personnel at the facility, but may have the most access and tend to generate little suspicion. If possible, develop a rigid screening process for such persons. If custodial/janitorial personnel and repair workers are not permanent employees of the company, they should be treated like other visitors and be escorted and observed.
Once visitors and other outside personnel leave, make sure ID badges are returned and indicate on the record that the individuals have left the facility.
When it comes to protecting a physical facility from intruders, don’t develop a false sense of security just because there is a fence, security camera, or good lighting. One or two security measures are not going to totally protect any company. It takes an integrated system of defenses to prevent unauthorized persons from entering the facility and causing damage and/or leaving with valuable materials.
Facility layout and condition
The best defense starts with the physical layout and condition of the facility. An organization may need to make physical modifications to its facility to truly protect it. Questions to ask include:
The criminal mind can devise sinister, unconsidered methods to accomplish a task. Make sure employees are trained to report suspicious activity or security lapses, and encourage them to offer suggestions for security improvements.
After basic perimeter security, a doorway may be the next best defense against an intruder. In the case of a smaller company, a securely locked door may be the only defense. It’s critical that all entrances and exit gates and doors are secured when not in use.
Maintenance
Make sure all gates and doors are structurally sound, locks are substantial enough to prevent unauthorized entry, and latches close securely. If an entrance needs maintenance, have it done as soon as possible.
A company should examine all doors and replace parts or entire doors if the items provide inadequate protection. A door is only as strong as its composition and points of attachment (i.e., what it’s made of and the strength of locks and hinges).
Generally, an intruder hoping to break through a door will start with the locks, but then may move to the hinges, glass panels, or other areas of the door. Doors with significant amounts of glass should be equipped with additional security measures such as an alarm system, steel bars, or wire mesh, or should be under constant guard. Hollow-core or paneled doors should be reinforced, perhaps with a steel plate inside.
Clean and lubricate doors and adjust them as necessary (remember that wooden doors may change shape with the seasons).
Restricting entry
Never allow just anyone into a building. It is good company policy to require each employee to use that worker’s own ID to enter the building. If possible, IDs should have the employee’s picture, name, and department or function, but remember that it’s relatively easy to fake an ID.
Businesses should have a written policy that includes immediate reporting of lost or stolen security badges or IDs, because most automated systems are unable to tell if the person entering the building is the same one originally issued the ID.
Instruct employees not to hold the doors open for others unless the employee knows the person and the person is a current employee. All visitors should be instructed to use a designated visitor entrance.
Employees, too, should be restricted to designated employee entrances and exits. Emergency exits should only be used in an emergency.
To control who enters the facility, install a security checkpoint, either with personnel or automated. At a minimum, companies should consider a security guard or receptionist at the door screening those who enter the building, or a device that automatically scans employee ID cards or badges and only unlocks the door for authorized personnel.
Establish set hours during which employees may enter the building(s). If access is necessary after hours, employees should be instructed to contact a security guard who can screen the employee and provide access if authorized. If an automated access card system is in place, program the cards to limit access during non-business hours.
Check all windows for security risks. After doors, windows are the easiest way into a building. A window that is easily reached with a ladder, is large enough for a person to crawl through, or could allow someone to reach and open a lock should be considered vulnerable.
Does the facility have windows that can be opened? If so, there is always the chance that one will be left unlocked, or that an intruder could force open the window lock. Evaluate and reinforce the locks if necessary, and make sure employees are closing and locking windows.
Consider installing alarms on windows located on the first and second floors of each building.
If there are window air-conditioners, make sure the units can’t be removed from the outside.
Perimeter walk-around procedures
A periodic walk-around or audit of the external areas of the facility and surrounding grounds will provide a lot of useful information, keeping the company in tune with facility security and highlighting any security gaps.
How often a company conducts security self-audits — whether weekly, monthly, or quarterly — depends on the size of the operation and its relative level of risk. The assessment should be done under varying light conditions (a burned-out light bulb would be invisible during daylight hours, just as a hole in a fence may not be visible at night). These are some questions to ask during the audit:
Remember to obtain employee input, too, since employees are closest to the issues and might be able to alert management to security concerns that go unnoticed during a walk-around audit.
The best locks in the world don’t provide much protection against someone who has a key. First and foremost, entrance security depends on key control. All companies should have a facility-wide key control system that ensures the security of keys, access cards, combinations, key-making equipment, key codes, etc.
The security office or another secure location should be used to store all spare keys, access cards, and other lock-related equipment or information. Personnel who work in those areas should have limited access to equipment and information. Do not store combinations or other lock information on a computer. Conduct periodic inventories and inspections to make sure nothing has been stolen or misplaced.
Other security measures include:
After basic perimeter security, a doorway may be the next best defense against an intruder. In the case of a smaller company, a securely locked door may be the only defense. It’s critical that all entrances and exit gates and doors are secured when not in use.
Maintenance
Make sure all gates and doors are structurally sound, locks are substantial enough to prevent unauthorized entry, and latches close securely. If an entrance needs maintenance, have it done as soon as possible.
A company should examine all doors and replace parts or entire doors if the items provide inadequate protection. A door is only as strong as its composition and points of attachment (i.e., what it’s made of and the strength of locks and hinges).
Generally, an intruder hoping to break through a door will start with the locks, but then may move to the hinges, glass panels, or other areas of the door. Doors with significant amounts of glass should be equipped with additional security measures such as an alarm system, steel bars, or wire mesh, or should be under constant guard. Hollow-core or paneled doors should be reinforced, perhaps with a steel plate inside.
Clean and lubricate doors and adjust them as necessary (remember that wooden doors may change shape with the seasons).
Restricting entry
Never allow just anyone into a building. It is good company policy to require each employee to use that worker’s own ID to enter the building. If possible, IDs should have the employee’s picture, name, and department or function, but remember that it’s relatively easy to fake an ID.
Businesses should have a written policy that includes immediate reporting of lost or stolen security badges or IDs, because most automated systems are unable to tell if the person entering the building is the same one originally issued the ID.
Instruct employees not to hold the doors open for others unless the employee knows the person and the person is a current employee. All visitors should be instructed to use a designated visitor entrance.
Employees, too, should be restricted to designated employee entrances and exits. Emergency exits should only be used in an emergency.
To control who enters the facility, install a security checkpoint, either with personnel or automated. At a minimum, companies should consider a security guard or receptionist at the door screening those who enter the building, or a device that automatically scans employee ID cards or badges and only unlocks the door for authorized personnel.
Establish set hours during which employees may enter the building(s). If access is necessary after hours, employees should be instructed to contact a security guard who can screen the employee and provide access if authorized. If an automated access card system is in place, program the cards to limit access during non-business hours.
Check all windows for security risks. After doors, windows are the easiest way into a building. A window that is easily reached with a ladder, is large enough for a person to crawl through, or could allow someone to reach and open a lock should be considered vulnerable.
Does the facility have windows that can be opened? If so, there is always the chance that one will be left unlocked, or that an intruder could force open the window lock. Evaluate and reinforce the locks if necessary, and make sure employees are closing and locking windows.
Consider installing alarms on windows located on the first and second floors of each building.
If there are window air-conditioners, make sure the units can’t be removed from the outside.
Perimeter walk-around procedures
A periodic walk-around or audit of the external areas of the facility and surrounding grounds will provide a lot of useful information, keeping the company in tune with facility security and highlighting any security gaps.
How often a company conducts security self-audits — whether weekly, monthly, or quarterly — depends on the size of the operation and its relative level of risk. The assessment should be done under varying light conditions (a burned-out light bulb would be invisible during daylight hours, just as a hole in a fence may not be visible at night). These are some questions to ask during the audit:
Remember to obtain employee input, too, since employees are closest to the issues and might be able to alert management to security concerns that go unnoticed during a walk-around audit.
The best locks in the world don’t provide much protection against someone who has a key. First and foremost, entrance security depends on key control. All companies should have a facility-wide key control system that ensures the security of keys, access cards, combinations, key-making equipment, key codes, etc.
The security office or another secure location should be used to store all spare keys, access cards, and other lock-related equipment or information. Personnel who work in those areas should have limited access to equipment and information. Do not store combinations or other lock information on a computer. Conduct periodic inventories and inspections to make sure nothing has been stolen or misplaced.
Other security measures include:
Technology is always changing, and that can mean more security and information-gathering ability for a (sometimes) cheaper price. Lock and security-device manufacturers are adding more and more computer circuitry into products, allowing unprecedented control over who can enter a locked area, when, and how often. These high-tech access control systems are becoming increasingly common in both home and business applications.
It’s a good idea to stay abreast of changes in security technology. Consider the following:
In the future, more and more locks will employ cutting-edge technology including fingerprint, eye, and voice recognition.
Terrorism, according to the Federal Bureau of Investigation (FBI), is the calculated use of unlawful force or violence, or the threat of unlawful force or violence, against person(s) or property for purposes of intimidation, coercion, or ransom in the pursuit of goals that are generally political, religious, or ideological.
Terrorist incidents are not emergencies that the Occupational Safety and Health Administration (OSHA) expects an employer to reasonably anticipate. However, if a terrorist incident does occur in or near one’s workplace, an effective evacuation plan increases the likelihood that the employees will reach shelter safely.
Terrorists typically plan attacks to obtain the greatest publicity, choosing targets that symbolize what they oppose. The effectiveness of the terrorist act lies not in the act itself, but in the public or government reaction to the act.
A terrorist attack can take several forms, depending upon technology available to the terrorist, the nature of the issue motivating the attack, and the target’s points of weakness. While bombings are the most common method, other possibilities include attacking transportation facilities, utilities, banking and financial targets, landmarks, and national treasures, as well as attacks on public services.
Terrorist weapons can include use of explosives, kidnappings, hijackings, arson, killings and assassinations, and cyberattacks designed to slow down or destroy computer networks. Terrorist weapons could also include “weapons of mass destruction� (WMD), defined as biological or chemical agents; and atomic or radioactive “dirty� bombs designed to cause massive casualties in civilian populations.
Since terrorism can impact employers and workers, OSHA works with other federal agencies including the Federal Emergency Management Agency (FEMA), the U.S. Environmental Protection Agency (EPA), the U.S. Soldier Biological and Chemical Command (SBCCOM), the Centers for Disease Control and Prevention (CDC), and within CDC, the National Institute for Occupational Safety and Health (NIOSH).
Chemical facilities, even with very low volumes, are under particular scrutiny, as their operations are considered especially vulnerable to threats.
Because of the increased threat, chemical facilities need to focus on preventing terrorist, criminal, and cyberattacks. Such attacks could have significant national impact (e.g., through the loss of chemicals vital to the national defense or economy). They also could cause releases of hazardous chemicals that might compromise the facility’s integrity, cause serious injuries or fatalities among employees, contaminate adjoining areas, or cause injuries or fatalities among adjoining populations.
For many facilities, compliance with existing regulations led to changes in operations that reduced risk and increased security. Facilities have been able to identify and reduce the chemicals of greatest concern at their facilities. For companies not previously affected by security-related regulations, existing regulations and guidance provide a solid starting point for evaluating processes and implementing changes to improve security.
Chemical facilities that have more than 300 chemicals of interest listed in in Appendix A of the Chemical Facility Anti-Terrorism Standards (CFATS) regulation (6 CFR Part 27) are required to report to the Cybersecurity and Infrastructure Security Agency (CISA) as part of the Chemical Facility Anti-Terrorism Standards (CFATS).
Facilities that have certain amounts of chemicals of interest must meet additional requirements and complete surveys to rank their risk level. Companies that meet the high-risk thresholds are required to have a site security plan.