350 likes | 455 Views
Learn about the regulatory landscape & best practices in railway security, addressing safety, Health, Safety, Security, and Environment (HSSE) systems for industrial railways. Explore the intersection of safety, security, and environmental protection in the rail sector.
E N D
SECURITY IN THE RAIL SECTOR Ephimios “George” Sgouromitis, CRSP Manager, Corporate HSSE (Health, Safety, Security and Environment) Gibson Energy Inc. George.sgouromitis@gibsons.com
Why am I here? Our perspective and journey……….. • Work for a company that operates industrial railways • Multiple requirements from many regulatory stakeholders • HSSE Team member high grading our HSSE systems to a “best in class” goal • OHS requirements from federal, provincial regulatory stakeholders • Registered “Critical Infrastructure Facilities” (Alberta Solicitor General and Public Security) • Security requirements from federal and provincial regulatory stakeholders • Gibson's believes in engagement with “the process” and supports my membership as a: • Committee Member - CSA Z246.1 Security Management for Petroleum and Natural Gas Industry Systems • Committee Member - CSA Z246.2Emergency Preparedness and Response for Petroleum and Natural Gas Industry Systems • Traditional safety programs have been replaced with Safety Management Systems • Too many non-prescriptive regulations/requirements to meet and interpretations there of • Energy and related sectors are experiencing security threats on an increased basis from domestic individuals to international organized malevolent entities
HSSE – According to Webster's Dictionary • health • health is important • safety • noun safe·ty \ˈsāf-tē\ • : freedom from harm or danger : the state of being safe • : the state of not being dangerous or harmful • : a place that is free from harm or danger : a safe place • : the condition or state of something • security • noun se·cu·ri·ty \si-ˈkyu̇r-ə-tē\ • : the state of being protected or safe from harm • : things done to make people or places safe • : the area in a place (such as an airport) where people are checked to make sure they are not carrying weapons or other illegal materials • environment • environment is important • but we see significant cross over (confusion) with “safety” and “security”
What does Google tell me about Rail Security? • Rail Security – Transport Canada (https://www.tc.gc.ca/eng/railsecurity/menu.htm) • The Surface and Intermodal Security (SIMS) Directorate manages Transport Canada's rail security program. Guided by the Railway Safety Act, the International Bridges and Tunnels Act, the Transportation of Dangerous Good Act, and the federal government’s transportation security mandate, SIMS Directorate works with its partners to enhance the security of surface and intermodal transportation across Canada. • SIMS Directorate’s activities span a broad variety of surface, intermodal and multimodal security interests, including passenger and freight rail, urban transit, international bridges and tunnels, and transportation of dangerous goods (by truck and train). • The security of federally-regulated railways in Canada is subject to the Railway Safety Act. A major achievement of the Transport Canada Rail Security program is the establishment and ongoing work related to the Memorandum of Understanding (MOU) signed between Transport Canada and the Railway Association of Canada (RAC) on November 15, 2007.
Memorandum of Understanding -TRANSPORT CANADA(TC) / Railway Association of Canada (RAC) • MOU-TRANSPORT CANADA/RAC • No. H 217/07For release - November 15, 2007OTTAWA - The Honourable Lawrence Cannon, Minister of Transport, Infrastructure and Communities and Mr. Cliff Mackay, president and chief executive officer of the Railway Association of Canada (RAC), today signed a Memorandum of Understanding (MOU) to strengthen railway security. • The main component of the new MOU is that each railway operator who is a member of RAC willprepare a security plan based on risk assessment. • These plans will be provided to the Minister of Transport, Infrastructure and Communities and each will be reviewed no less than once a year. • The MOU also includes important elements, such as maintaining records, performing exercises and drills, appropriate training and awareness for new employees, and reporting incidents to the Minister as soon as possible. • The MOU reflects the core principles and best practices of the railway industry. It is an important voluntary action by RAC members to enhance the security of rail operations.
Railway Association of Canada – Security page (http://www.railcan.ca/safety/security) • RAC has established a Security Committee that focuses on the sharing of ideas, best practices and technology and has initiated security improvements within the industry. • Its mandate is to advise on security concerns, relevant legislation, security improvements, facilitating and coordinating security concerns and activities between freight and passenger members. • RAC, in cooperation with its members, is working closely with Transport Canada in developing programs and initiatives to improve the security of passenger Rail and urban transit operations. • RAC and Transport Canada signed a Memorandum of Understanding (MOU) in November 2007 that required RAC members to submit a description of their security plans to Transport Canada by July 2008. The security plans are reviewed on an annual basis and updated as required. • Further, there is a systematic review of each railway security plan every three years. • In addition, the rail businesses will report to Transport Canada any security incidents as they occur.
Railway Association of Canada – Safety and Security page (http://www.railcan.ca/safety/safety) • Rail SecurityIn order to enhance the security of Canada’s railways, Transport Canada, the Railway Association of Canada and its members signed an agreement on security in 1997. • A revised Memorandum of Understanding on Railway Security (MOU) was signed in 2007. • Under the MOU, operators are required to: • develop and maintain risk-based security plans; • conduct exercises to fully test the emergency portions of their security plans; • provide employees with security training and awareness; • report security incidents; • maintain records (e.g. on security training); and • identify at least one person with whom the Minister of Transport may share security intelligence. • This MOU aims to strengthen rail operators’ ability to prevent, prepare for, respond to and recover from a security incident • “The MOU applies to the operators (31) outlined in Appendix, A as per Clause 7 of the MOU”
Railway Safety Act (R.S.C., 1985, c. 32 (4th Supp.)(http://laws-lois.justice.gc.ca/eng/acts/R-4.2/) • Railway Safety Act (R.S.C., 1985, c. 32 (4th Supp.)) • Full Document: • HTMLFull Document: Railway Safety Act | • XMLFull Document: Railway Safety Act [285 KB] | • PDFFull Document: Railway Safety Act [438 KB] • Act current to 2015-03-31 and last amended on 2015-02-26. Previous Versions • Notes :See coming into force provision and notes, where applicable. • Shaded provisions are not in force. Help • Referenced in the Act: • Security – 22X • Security document – 6X • Security measures – 2X • Security threat – 1X • (From my perspective “No real direction on what my security program/plan should like”)
Railway Safety Management System Regulations (SOR/2001-37) (http://laws-lois.justice.gc.ca/eng/regulations/SOR-2001-37/) • Railway Safety Management System Regulations (SOR/2001-37) • Full Document: • HTMLFull Document: Railway Safety Management System Regulations | • XMLFull Document: Railway Safety Management System Regulations [18 KB] | • PDFFull Document: Railway Safety Management System Regulations [41 KB] • Regulations are current to 2015-03-31 • Enabling Act: RAILWAY SAFETY ACT • Notes :See coming into force provision and notes, where applicable. • Shaded provisions are not in force. Help • Referenced in the Act: • Security – 0X • Security document – 0X • Security measures – 0X • Security – threat – 0X • (From my perspective “No real direction on what my security program/plan should like) • (HSSE MS vs. Rail SMS? - topic for another day)
International Bridges and Tunnels Act (S.C. 2007, c. 1) (http://laws-lois.justice.gc.ca/eng/acts/I-17.05/) • International Bridges and Tunnels Act (S.C. 2007, c. 1) • Full Document: • HTMLFull Document: International Bridges and Tunnels Act | • XMLFull Document: International Bridges and Tunnels Act [101 KB] | • PDFFull Document: International Bridges and Tunnels Act [165 KB] • Act current to 2015-03-31 and last amended on 2015-02-26. Previous Versions • Notes :See coming into force provision and notes, where applicable. • Shaded provisions are not in force. Help • Referenced in the Act: • Security – 29X • Security document – 0X • Security plan – 2X • Security measures – 12X • Security threat – 0X • (From my perspective “No real direction on what my security program/plan should like)
Alberta Transportation - Industrial Railway Circular No. - 2 • https://www.transportation.alberta.ca/Content/docType521/Production/INDUSTRIAL%20RAILWAY%20CIRCULAR%20NO%202.pdf • “GUIDELINE FOR THE DEVELOPMENT OF SECURITY MANAGEMENT PROGRAM FOR DANGEROUS GOODS TRANSFER SITES” • NOW WE ARE GETTING CLOSE! • “BUT remember this is specific to transloading facilities for Dangerous Goods in Alberta” • Clause: • 5. Risk Assessment • The SMP must be based on the results of a comprehensive risk assessment of the dangerous goods transload site, proximity to other persons and structures outside the facility and employees including structures used for the product(s) being transloaded. • Identifying inherent risk at the transload site will lead to the development of the required mitigation procedures / measure in order to reduce the security / risk to an acceptable level.
Alberta Transportation - Industrial Railway Circular No. – 2 (cont’d) • 6. Security Management Program Development • The SMP should be developed to address the identified risks, and, in addition the following should be considered: • Table of contents complete with change in document dates • Site map detailing security features such as fences, buildings in close proximity outside the fence, cameras, gates and muster locations etc. • Cover sheet indicting the: • Location • Dangerous classification of products being transloaded • Emergency phone numbers for responders and staff • Position in the company responsible for emergency response during operational hours and non-operational hours • Emergency response plan to a threat or incident • Security management program, emergency response, dangerous goods, railcar and truck tank training given to staff
NOW WHAT? • Government directions: • Federal requirements; • Provincial/State requirements; • Local requirements; • OHS/Safety requirements; • Rail requirements; • Security requirements; • Transportation requirements; • Etc. • Operator based directions: • Company requirements; • Customer requirements; • Industry requirements; • Association requirements; • Etc. • Lots of “special” words used: • Shall; Will; • Should; May;
Harmonization…………………. • (http://dictionary.cambridge.org/dictionary/business-english/harmonization) • harmonization • noun [U] • “the act of making systems or laws the same or similar in different companies, countries, etc. so that they can work together more easily”
Harmonization…………………. • We must ask ourselves; could this work in Canada? • e.g. AER (Alberta Energy Regulator) once was 2 entities with 2 reporting requirements • (Energy and Utilities Board + Alberta Environment-SRD) • The Alberta Energy Regulator ensures the safe, efficient, orderly, and environmentally responsible development of hydrocarbon resources over their entire life cycle. This includes allocating and conserving water resources, managing public lands, and protecting the environment while providing economic benefits for all Albertans. • Energy regulation in Alberta spans more than 75 years and has evolved over time. This evolution continued in 2013 when the AER became a new organization and began taking on regulatory functions related to energy development that were previously held by Alberta Environment and Sustainable Resource Development (ESRD). This transition is now complete, and the AER is now the single regulator of energy development in Alberta—from application and exploration, to construction and development, to abandonment, reclamation, and remediation. • (https://www.aer.ca/about-aer/who-we-are)
CSA Standards used for harmonization • Federal • The National Energy Board (NEB) adopted: “Companies shall develop, document, implement and maintain a security management program that is in accordance with CSA 246.1-13, Security Management for the Petroleum and Natural Gas Industry, as amended from time to time.” Provincial • Province of British Columbia (BCOGC - adopted): • Province of Alberta (AER - currently reviewing standard) • Province of Ontario (TSSA adopted) • Province of New Brunswick (adopted)
SECURITY IN THE RAIL SECTOR • We need a prescriptive/granular security standard that could apply to our Rail Security needs, that meets or exceeds the myriad of regulations that require us to have……security across all jurisdictions. www.gibsons.com
CSA Z246.1 -13 Security Management for Petroleum and Natural Gas Industry Systems This Standard specifies criteria for establishing a security management program to identify and manage security threats and associated risks with the objective of preventing and minimizing the impact of security incidents that could adversely affect people, the environment, assets and economic stability
CSA Z246.01-13Security Management for Petroleum and Natural Gas Industry Systems • In August 2009, the CSA published a new Standard titled CSA Z246.01-09 Security Management • for Petroleum and Natural Gas Industry Systems (latest version CSA Z246.01-13). • This consensus Standard was developed by a technical committee comprised of members of government, industry and security professionals. • The Standard is based on the premise that security risks are managed using a risk-based approach to provide a framework to protect energy infrastructure from malicious damage. • The development of CSA Z246.1-13 represents a three year joint effort on the part of industry, • government and security specialists to develop a consensus document that could assist and guide all parties.
CSA Z246.01-13Security Management for Petroleum and Natural Gas Industry Systems • The purpose of the Security Standard is to assist and guide industry in the development and implementation of a Security Management Program. • The new Standard includes criteria for establishing a security management program to ensure security threats and associated risks are identified and managed. • This Standard provides mitigation and response processes and procedures to prevent and minimize the impact of security incidents that could adversely affect people, the environment, assets, and economic stability. • While the requirements of the Standard are applicable to all National Energy Board (NEB) regulated companies regardless of their size, the Board recognizes that a security program will vary depending on factors such as type, size, location and criticality of the assets being protected. CSA Z246.01-13 was developed to be scalable, ensuring it may be used by small operators as well as large companies. • The CSA standard is performance based, allowing companies to base their security management decisions on risk.
CSA Z246.1 CONTENT • Introduction • Scope • Definitions • Security Management Program (SMP) • Security Risk Management • Information Security Management • Information Security & IT/Control Systems • Personnel Security • Physical Security Measures • Security Incident Management • Change Management Process • Evaluation / Review • Continual Improvement
Security Risk Management • Includes: • Asset Characterization • Threat Assessment • Vulnerability Assessment • Security Risk Assessment • Risk Mitigation “The operator SHALL develop and implement security measures based on findings in the security risk management process.”
Information Security Management • Includes: • Policies and Procedures • Training and Awareness • Classifying Internal Information “The operator SHALL classify and protect internal information based on the risk presented by inappropriate, inadvertent, or malicious disclosures.” • Handling and Storage • External Information • Records and Documentation • Destruction
Information Technology / Control Systems Security • Information Technology: • “The Operator SHALL develop, document, implement and maintain an information technology security process.” • Control Systems Security: • “The Operator SHALL develop, document, implement and maintain a control system security process.”
Personnel Security • Includes: • Protection of Personnel • Security Training & Awareness “The operator SHALL establish, implement, document and maintain a security training and awareness process.” • Employee / On-Site Personnel Screening • Employee / On-Site Personnel Termination • Employee Travel
Physical Security Measures • Includes: • “The elements specified in Clauses 9.3.2 to 9.3.10 SHALL be considered.” • Fencing/Exterior Walls/Gates • Signage/Lighting • Intrusion Detection Systems/Alarms • Access Control • Lock, Key and Electronic Access Control • Video Surveillance Monitoring • Designated Security Guards • Protection of Critical Components, Spares & Utilities
Security Incident Management • Includes: • Planning / Response Process “The operator SHALL develop a security incident management process that specifies how the operator will respond to, communicate, document, recover from, de-escalate security related threats and incidents.” • Security Exercises & Drills “The operator SHALL evaluate the effectiveness of the security incident response process through exercises, drills, and lessons learned from actual incidents. An exercise or drill plan SHALL be developed and implemented.”
Change Management Process • Process “The operator SHALL develop, document, and implement a change management process for changes that could have a significant impact on the effectiveness of the SMP.”
Evaluation and Review • A review SHALL: • Be Conducted Annually • Consider Audit Results • Consider Significant Change in Assets • Consider Success of Internal Objectives • Analyze Conformance to Legal Requirements • Be Approved by Management
Gibson – Industrial Railway Operator? • Gibson’s presently in Alberta has 5 Industrial Rail Sites. • Alberta Transload sites: • Edmonton: (10 tracks) - approx. 75 cars at a time (max ) • Hardisty: (1 track) - approx. 14 cars at a time (max) • Sexsmith: (3 tracks) - approx. 60 cars at a time (max) • Rimbey: (1 track) - approx. 28 cars at a time (max) • Barr: (1 track ) - managed by Gibson's Transportation and Trucking Business Unit • Other Rail assets: • British Columbia (LPG), • Ontario (GGL) • Saskatchewan (Refinery) • Gibson's has adopted CSA Z246.1 to meet and exceed our regulated security requirements, as well as ensure, we are prepared for any new and more prescriptive requirements in the future • Gibson's in not currently regulated by National Energy Board (NEB) • Gibson’s operates “Critical Infrastructure” Sites under the AB-SOLGEN jurisdiction
Security Consultants • Gibson Energy had no in house security professionals; • Sourcing and engaging the services of a experienced security professional was deemed prudent and cost effective to high grade the creation and development of our Security Management Program • Gibson sourced and engaged the services of “Tocra Inc.” • Principal • Myles Toews has over 37 years experience as a security professional. During a 26 year career in the Royal Canadian Mounted Police he performed criminal intelligence duties and conducted investigations into organized crime including the management of international investigations in North America and overseas. • After the events of September 11, 2001, TOCRA was approached by the Government of Alberta to assist in the development of a Provincial crisis management plan specific to critical infrastructure. Over the ensuing 8 years Myles has worked with various industries i.e. food, electricity, water, environment, telecommunications and transportation to meet certain objectives under the Provincial plan. During this period he also worked for the Alberta Energy & Resources Conservation Board and National Energy Board to assist in the development and implementation of their respective security management programs. • * Myles is an original member and a current Vice Chairman on the Canadian Standards Association (CSA) Technical Committee Z246.1 (Security Management for Petroleum and Natural Gas Industry Systems). • http://www.tocra.ca/
The Path Forward; • In the absence of any specific or granular security program direction in many regulations or industries. • I recommend this path forward: • All Federal and Provincial Regulators review the CSA Z246.1 Security Management standard • Approach CSA directly to discuss increasing its scope to include rail • National Energy Board Canada • Wes.Elliott@neb-one.gc.ca; (403) 299-3735 • Z246.1 Committee is committed to expanding the scope to other industries • All industrial railway operators review the CSA Z246.1 standard • Understand its scope and applicability • Look at its application across all your operations; not just rail • Industry and regulators to work together to lobby and adopt the standard • Make “HARMONIZATION” a goal for security in Canada • High grade security across as many all Canadian operations types as possible;