A hundred yards down the entrance road, however, stands a new fence, eight feet of chain link topped with barbed wire. This fence has surveillance cameras and an electronic gate operated by magnetic card keys. Employees slide their identification cards to gain entry. Truck drivers use a keypad to type a code assigned specifically for their delivery or pickup. Visitors use a phone to call the plants main office.

It used to be that anyone could drive up and walk right into the office or over to the loading dock, said Fritz Howes, environmental, health, safety and security manager at Calumets Shreveport, La., base oil refinery, who was formerly stationed at Cotton Valley. It was not at all uncommon to see visitors wandering through the halls, looking for people, without having any appointment. Now, if you dont have a prearranged appointment, you pretty much dont get in.

The changes at Cotton Valley are representative of what has happened at refineries across the United States since the terrorist attacks of Sept. 11, 2001. People throughout the industry agree that those strikes on the World Trade Center and the Pentagon were a watershed moment for security in the nations oil industry. Certainly, some refiners had begun devoting more attention to security before 9/11, but that day grabbed the industrys attention and made it feel threatened.

In response, refiners quickly undertook a systematic effort to protect their facilities from attackers. Assisted and prodded by government, companies took numerous steps that changed the face and working environment of refineries across the country. In doing so, they turned security into a business priority that appears likely to persist for the foreseeable future.

Building Fences

Not all refineries were as lax about security as Calumets Cotton Valley plant. Larger, integrated refineries generally had more protection in place before 9/11 than did smaller facilities. Still, the industry as a whole looked vulnerable in light of the nations most deadly terrorist attacks.

When the tragic events of September 11, 2001, occurred, the nation realized immediately that additional threats had to be taken into consideration in order to protect our homeland, Bob Slaughter, president of the Washington, D.C., based National Petrochemical and Refiners Association, said July 13 during testimony before the U.S. Senate Committee on Homeland Security and Governmental Operations. The refining and petrochemical industries drew the same conclusion.

Over the next four years, the industry and government worked together to try to protect refineries from such attacks. A key part of the effort was the Maritime Transportation Safety Act. Adopted in 2002, it required refineries and petrochemical plants that fall under U.S. Coast Guard jurisdiction (because of their proximity to water) to assess the vulnerability of those facilities to terrorist attack. It also required them to designate security officers and to submit security plans for Coast Guard approval.

The industry met the December 2003 deadline to submit plans for sites covered by the act, then repeated the process for those that did not – approximately 40 percent of the nations nearly 150 refineries.

Implementing those plans led to noticeable changes at many refineries. Beforehand, sources say, security in the U.S. refining industry was a relatively low priority that received limited funding. Many sites had fences, many others did not. Gates, where they existed, were typically manual, and guards, if used, usually had received minimal training. Relatively few sites were equipped with electronic surveillance.

It was not as though the industry lacked experience protecting itself from terrorist attack. As Slaughter noted, refiners and petrochemical companies have long operated globally, often in unstable regions overseas where security is an integral part of doing business. After 9/11, the industry began employing those practices in the United States. Federal, state and local law enforcement helped by assessing sites, pointing out vulnerabilities and advising how to protect them.

Most if not all refineries appointed security officers, a requirement of the MTSA. Corporations loosened purse strings, and federal agencies such as the Department of Homeland Security and the Transportation Safety Administration chipped in large sums as grants. Sites that did not have fences do now, and automatic gates are common. Guards generally are more highly trained than in the past. Many sites bolstered perimeter defenses with improved lighting, alarms and monitoring cameras. The extra-diligent are installing strategically placed sensors or intelligent video equipment that alerts employees to changes in human or vehicular traffic.

Fences in Cyberspace

Not all the attention has gone to physical or facilities security. Information technology experts warn that refiners need to do more to protect electronic networks that are becoming increasingly important cogs in their business. One of the biggest points of concern is the distributed control systems (DCS) which automatically control functions in various parts of plants. Because they work through telecommunications lines, experts worry that terrorists could hack into these systems to obtain information for use in an attack, or could access one to directly take control of and sabotage parts of a refinery. Companies use a variety of measures to protect against such incursions.

To some extent, the newer [distributed control] systems being installed today have built-in security features such as encrypted data streams, said Steven Elwart, director of systems engineering for Ergon Refining Inc., Vicksburg, Miss., and chairman of NPRAs Cybersecurity Committee. The bigger problem is you have older systems – some of which have been in place for 30 years – and its difficult to go back and build security into them.

In that case, we install things like firewalls and anomaly detection systems. But you also do things like take away access from vendors who have been able to just dial in when they do trouble-shooting.

Refiners have spent significant sums of money on security. NPRA officials say they do not have industrywide estimates, but that spending at individual sites has ranged from hundreds of thousands to millions of dollars. Most of those amounts have been for facilities security, they add, explaining that cybersecurity measures carry nominal costs.

Assessing the Threat

How much protection from terrorism has this money bought the industry? That question begets another: How likely a target are refineries in the first place? It is worth noting that the federal government identified two other industries as bigger threats – nuclear power plants and airlines, both of which were subjected to tighter security mandates and closer government scrutiny. Still, the Department of Homeland Security also lists the energy sector as one of more than a dozen industries considered to constitute critical infrastructure and which therefore are subjects of security initiatives.

There is also little if any evidence of terrorists wanting to attack refineries. Industry sources say they know of no actual physical attempt to attack a refinery in the United States, or of specific unexecuted plans ever being discovered. The closest to it, according to NPRA Director for Security Maurice McBride, are cases where authorities learned of individuals who appeared to be conducting surveillance on refineries. He added that it was unclear whether those individuals had connections to terrorist organizations, but declined to discuss specifics.

Likewise, they are unaware of any attempts by terrorists to access refinery cyber networks. Elwart said DCS software has been found in the hands of terrorists.

Nevertheless, refiners believe their industry was and remains an attractive target for terrorism, partly because of the important role it plays in the economy, partly because of the spectacle offered by exploding oil tanks.

We know that al-Qaida likes to blow things up, and they know the oil industry, McBride said. So we see ourselves as a more likely target than something like a bakery or a fiberboard factory.

Progress Report

Security professionals say the industry is much better prepared for an attack today than it was four years ago. But they also harbor no illusions that refineries are attack-proof, or that they could ever be made so.

Certainly, if a terrorist is determined to target you, he can do it, Citgos Houston-based Manager for Corporate Security Delmer Mitchell said in March during a presentation at NPRAs annual meeting in San Francisco. But the more you protect hard targets, the more likely it is that youll encourage them to go after soft targets.

Individuals involved with security say the industry as a whole has completed the first and biggest steps in establishing effective protections. By and large weve completed what you might call the first phase of the process, McBride said. Companies did their assessments and set up the basic [defensive] elements, if they didnt already have them. Now theyre looking around for things that they can do to plug holes and tighten up weak spots.

As those responsible for facilities security look to install more sophisticated gates, cameras or alarms, their counterparts in cybersecurity seem to have more work ahead of them. Thats partly because refineries continue to use more information technology, and new additions bring new security concerns.

You install these technologies because they make you more efficient, Donald L. Paul, vice president and chief of technology for Chevron in San Ramon, Calif,, told the NPRA meeting in San Francisco. But they also make you more exposed. In terms of developing effective cyber-security, he added, Were just at the beginning, Im afraid, of where we have to be going.

While generally complimentary of the role that government has played to date, the industry is keeping an eye on Congress and hoping that it does not become more prescriptive. The chairman of the Senate Committee on Homeland Security and Governmental Affairs, Susan Collins, (R-Maine), has said she intends next year to propose new legislation to improve security in the chemicals industry, which could include many refineries. NPRA said it does not favor new legislation and urged the committee not to set onerous mandates. Slaughter went so far as to say there actually might be less sharing of security-related information between industry and the Department of Homeland Security if the department becomes a more active regulator.

[T]he existing system is working well and care must be taken to do no harm to current efforts in fashioning your ultimate product, he said.

Whether or not the government changes its role, observers say the industrys new emphasis on security is sure to continue for years.