RBPS 15 - Reporting of Significant Security Incidents and RBPS 16 - Significant Security Incidents and Suspicious Activities complement each other and address the importance of developing protocols and procedures to promptly and adequately identify, investigate and report all significant security incidents and suspicious activities to the appropriate facility personnel, local law enforcement, and/or DHS, as well as to maintain records of all significant security incidents and suspicious activities in or near the site.
Report Security Incidents
The easiest way for a facility to prepare its employees to do their part is to clearly explain to its employees, and especially its security staff, how to identify, respond to, and report the incident or activity. For example, a facility can establish written procedures regarding security incidents and train employees on these protocols as part of a facility awareness training. It is important to understand what a facility considers to be a significant security incident or suspicious activity.
Significant Security Incidents (Physical and Cyber)
A broad number of events may be considered a security incident, ranging from trespassing, vandalism and petty theft, to cyber attacks, bomb threats, and armed attacks. Determining whether the incident is “significant” or not, and thus reported to DHS and local law enforcement, is generally within the discretion of the facility. Significant security incidents likely will include events that arise based on intentional threats that attempt to, or successfully circumvent a security measure, for example:
- An intentional breach of the facility’s restricted area or perimeter
- An intentional act to forcefully or covertly bypass an access control point
- The theft or diversion or suspected theft or diversion of a chemical of interest (COI)
- An on-site fire, explosion, release or other incident requiring the attention of local first responders
- Any incident with malicious intent to adversely affect critical cyber assets, including IT equipment
Suspicious activities could include a pattern of suspicious people or vehicles in or near the facility, photographing the facility, or other unusual activity indicating that an adversary may be probing or assessing the facility’s security capabilities. This could also include suspicious orders of COI from unknown customers, customers who request cash payments, or delivery to unknown locations or businesses.
Reporting an Incident
RBPS 15 and RBPS 16 address the need for high-risk chemical facilities to promptly and adequately identify, investigate, report, and maintain records of significant security incidents and suspicious activities in or near the facility.
If a significant security incident is detected while in progress, the first call should go to local law enforcement and emergency responders via 911. Similarly, it is recommended that a facility report the incident immediately via 911 if the event has concluded but an immediate response is still necessary.
Once the incident has concluded and the facility has addressed any resulting emergency, a facility should use a non-emergency number to contact local first responders and DHS. Within DHS, report significant physical incidents to the National Infrastructure Coordinating Center (NICC) and report significant cybersecurity incidents to the U.S. Computer Emergency Readiness Team (US-CERT):
The facility should have written procedures, either in its Site Security Plan (SSP) or elsewhere, to ensure that qualified personnel conduct thorough investigations of significant security incidents and suspicious activities to determine the level of threat, any vulnerabilities that were exploited, and what security upgrades, if any, are warranted. Additionally, facilities should share lessons learned as part of the ongoing security awareness program.