by John Bisney
Not long ago, Raymond J. Reese (pictured above), corporate safety and security leader for Colonial Pipeline Co., was in Israel working with the Israeli Health Ministry to help develop a new international security standard. His group was touring a refinery in the southern part of the country, and as the guests walked through the manifold and tank areas, Reese inquired about a large crater in the ground.
The facility manager said it was where the last rocket launched from nearby Gaza City had landed. Reese quickly asked how frequently it happened and was told that a rocket strikes about every three days. He then asked when the last rocket hit and was told, three days earlier. “We picked up the pace of the tour,” he smiled. “The experience was a reminder as to the importance of protecting our own critical infrastructure and way of life.”
Although it’s not every day that Reese and his colleagues in the oil and natural gas security business personally encounter the dangers of actual warfare, they know quite well they’re engaged in constant battles to protect their personnel and facilities against everything from terrorists to con artists.
Reese, based in Alpharetta, Georgia, is security chief
for Colonial, the world’s largest-volume refined
petroleum products pipeline system. It delivers an average
of more than 100 million gallons of gasoline, kerosene,
home heating oil, diesel fuel and national defense fuels
every day. His extensive responsibilities are primarily
domestic, but for his counterparts at the large, integrated
oil and natural gas companies, the scope of the job
can be even more daunting.
James F. Snyder is global security manager for ConocoPhillips.
“Where to begin?” he asks.“We have
interests and operations all around the world. If you
look at the net value of all our assets, it’s
around $170 billion. That’s about the same as
the gross domestic product of the Republic of Ireland.
It’s also about the same as [the combined GDP]
of Jordan, Luxembourg, Panama, Bolivia, Iceland, Nicaragua
and Lebanon. We have a fleet of ships larger than the
navy of most countries.”
Snyder oversees security in such remote locations as
Kazakhstan, Nigeria, Indonesia, and Vietnam—anywhere
ConocoPhillips does business. “We view our mission
as being an enabler. We want to help the business be
successful by creating a safe and secure environment
for it to operate. What we’re looking to do first
is to protect our people; secondly, our operations and
facilities.”
Steel Pipelines and Global Supply Lines
It’s the same mission for Reese, yet with a twist. “What’s unique about pipeline security as opposed to other segments of the industry is that we are very distributed,” he says. Colonial moves a significant percentage of the East Coast’s supplies. The more than 5,500 mile system transports products from Texas, Louisiana, Mississippi and Alabama to more than 250 marketing terminals near the major population centers of the Southeast and Eastern Seaboard.
“So you’ve got a lot of assets spread over a lot of area,” he says. “That presents unique challenges for pipeline security folks trying to address all those jurisdictions, all those different categories of assets and then trying to maintain a security program that’s consistent and appropriate in all situations.
“We also have more than 250 aboveground facilities,
so I spend a considerable amount of my time focused
on these assets and their specific vulnerabilities,
to develop a risk-based security strategy that meets
the requirements of all those different types of facilities.”
With 27 years of industrial security and safety experience,
Reese knows what he’s talking about. He joined
Colonial after a stint as corporate security program
coordinator for the Trans-Alaskan Oil Pipeline.
Snyder, based in Houston, also has an impressive background.
He has law degrees from both the University of Tennessee
and England’s Cambridge University, was deputy
chief counsel for the U.S. Secret Service, served as
a special assistant U.S. attorney for the District of
Columbia and as a federal prosecutor in Austin, Texas.
He’s also been a special counsel for MCI, managed
investigations and business analysis at ExxonMobil and
was director of worldwide security for Apple, Inc.
Such international experience has been crucial, Snyder
explains. “It’s a lot of work with other
governments, a lot of work with our business units worldwide.
In some locations we’re very dependent on the
host governments to provide security. In most countries,
including conflict zones where we operate, only government-sanctioned
officials are authorized to carry weapons. That means
it is incumbent on us to ensure that the governmental
security services are properly trained and are responsive
to the security threats facing our expatriate and national
employees, because differences from country to country
can be significant.”
It’s just one reason he relies on regional security managers around the world, a common practice among the major oil companies. For the Middle East, for example, Snyder hired an Egyptian-born, Arabic-speaking former U.S. Secret Service agent who had conducted virtually all White House trip advances in the region. Snyder says, “Our ability to provide for the security of our employees and operations is totally dependent on the dedication and hard work of each and every one of our security professionals.”
The challenges can also lie in smaller details. He cites an example of British security officials who wanted ConocoPhillips to install an electrified fence around a company natural gas terminal. “We were concerned about potential ignition sources. But even more importantly, an electrified fence would have interfered with a microwave intrusion detection system we already had in place. So we sat down with them and explained we had a better solution that relied on ‘intelligent’ video that will detect unauthorized movements in the plant, and they agreed.”
International relations also involve more political issues. “We’re heavily involved in the Voluntary Principles on Security and Human Rights,” Snyder explains, “which is a multinational initiative to foster respect for human rights in terms of security around the world. So we work closely with local governments and non-governmental organizations to make sure our operations reflect our corporate commitment to human rights.”
Physical Security Paramount
Still, there’s no doubt that the core mission for Snyder and Reese remains physical security for their people and facilities. “With thousands of miles of pipeline,” Reese says, “it’s a major undertaking to keep secure. It becomes a matter of categorizing your system’s assets and then prioritizing your focus on those components deemed most critical. You’re always evaluating what’s most vulnerable to what kinds of threats and then implementing those specific steps likely to help prevent undesirable acts. A balanced risk-based approach to security is an essential element, due to resource limitations, such as finances and personnel.”
Typically, buried pipe itself is not included in the highest tier; the vast majority of Colonial’s pipes are buried and exposed sections are shielded in other ways. “Because they’re geographically diverse, pipelines have a certain robustness and we count on that,” according to Reese. “We have some rerouting capability, for example, that would help reduce the consequences of an attack, and pipelines are not typically considered to be among the most desirable targets available to terrorists. Even so, the fact that terrorist groups have demonstrated the capability and intent to attack pipeline systems abroad means we’re quite focused on the possibility of such an event domestically.”
Indeed, the plot uncovered in June of 2007 to destroy
fuel pipelines at New York’s John F. Kennedy International
Airport illustrates the vulnerability of pipelines.
Four men were charged in a scheme to blow up the jet
fuel pipeline that starts in New Jersey and runs through
Brooklyn to storage tanks that supply aircraft at the
airport. “The interconnections often mean that
when you’re talking about one pipeline, you’re
talking about a number of them,” Reese notes.
“Various pipelines and pipeline assets often combine
to form distribution systems. And although many of us
realize we are a potential terrorist target, the greater
risk may come from domestic sympathizers or copycat
criminals.
“Other pipeline assets, such as facilities, could take longer and cost more to repair or replace,” Reese says. And the increasing use of remote control centers has created new potential vulnerabilities. “It means the IT (SCADA [Supervisory Control And Data Acquisition] and cybersecurity) professionals are your friends. You have to form an alliance, a coalition of the willing, of sorts, because there are two nodes to cyber security. One is the actual software, coding and cyber security protections. But the other one is the physical security aspect of IT. Today, a security manager must have significant knowledge in both areas and form strong partnerships with other professionals in this part of the business.”
Snyder agrees. “Our Technical Security Program looks at all the available methods to help us provide a secure environment. It can be anything from biometric authentication for access control, intrusion detection systems, microwave, intelligent video, weight sensors, motion detectors—any number of technical solutions to make sure we have a secure perimeter and operating environment. It’s authenticating who’s coming into the facility and making sure only those who are authorized do come in.”
Snyder also deals with the challenges a more diverse company like ConocoPhillips faces. “We go out on a regular basis and perform security vulnerability assessments. In recommending security countermeasures we try to understand the threat profile of a given facility. We have 12 refineries in North America alone; a refinery in rural Texas doesn’t face the same security challenges as one right outside New York City. Wherever ConocoPhillips plans the construction of a large refinery we’re deeply involved in its security design to assure, for example, that critical process elements are segregated from areas where non-company personnel require access, such as product loading racks.” And for its workers in such high-risk locations abroad, his company will perform residential security assessments, maintain a warden notification system and provide security briefings to help protect them.
Reese and Snyder also point out they must also be vigilant against acts of internal sabotage triggered by an infiltrator or even a disgruntled employee, and Reese stresses the importance of solid employee training. “Situationally-aware employees who know what to look for and report abnormalities and suspicious behavior are the real cornerstone of any good corporate security program. So you’re really playing a behavioral modification game, a cultural game to get people to remain vigilant—because we’re all susceptible to complacency.” He’s also responsible for safety programs and for those aimed at preventing and responding to workplace violence.
The Impact of 9/11
Although the terrorist attacks of September 11, 2001 prompted many institutions to significantly increase or revamp their security, Snyder points out the oil and natural gas industry had been long aware of the risks and had already taken many precautions.
“Many of our companies had been doing business
in the Middle East and other hot spots around the world
for decades, and some had already had attacks against
their facilities. So what 9/11 did was to focus Western
governments, especially, on the threat more directly
and it prompted them into a more proactive role. For
most security professionals, however, I don’t
think it radically changed our outlook, since we often
focus on responding to a ‘worst-case’ scenario.”
One consequence, Snyder notes, is that governments have
hardened likely targets, so terrorists have increasingly
turned to “softer” targets. The oil and
gas industry has extended supply lines that can be vulnerable
and has a very complex supply chain with many elements.
On the other hand, such systems also have significant
resiliency. “In the U.S. for example, we discovered
that we could keep product flowing despite having more
than 20 percent of the national refining capacity idled
by hurricanes Katrina and Rita in 2005,” says
Snyder.
Reese worked security for the Trans-Alaskan Oil Pipeline
during 9/11, and sees resulting improvements. “The
appreciation for the strategic importance of pipelines
to the nation’s economy has grown since then—as,
of course, has the realization that there are people
out there motivated to harm our infrastructure. Before
9/11, we were focused on criminal threats, cyberthreats,
vandalism and so forth. Since 9/11, pipeline operators
have revisited the issue of security and have made efforts
to incorporate security practices into overall business
operations to a greater degree. It’s just smart
business to consider and to plan for all the various
contingencies and to take an all-hazards approach to
response readiness,” says Reese. “Security
is increasingly a part of that effort.”
Government Collaboration Critical
Although the industry has long had security-related relationships with many critical state and federal government agencies, the connections were expanded and strengthened after 9/11.
“We now have a regulatory compliance program to ensure that we’re aligned with governmentally prescribed security mandates, including the new Transportation Worker Identification Credential, the Maritime Transportation Security Act, Chemical Facility Anti-Terrorism Standards, the Customs—Trade Partnership Against Terrorism, the Patriot Act, water suitability assessments and other security-related licensing requirements for new Liquefied Natural Gas (LNG) facilities, money laundering acts and other legal requirements,” says Snyder. “There are a lot of recently enacted governmental regulations that are affecting our operations, and Europe is following the lead of the U.S. in many ways.” His department helps coordinate and respond to the increasing number of governmental agencies which are conducting security compliance inspections in much the same way that the Occupational Safety and Health Administration (OSHA) and the Environmental Protection Agency (EPA) evaluate safety and environmental concerns.
American oil and gas companies operating abroad also
benefit from information-sharing programs through the
U.S. State Department. Security officers at embassies
around the world are available to consult with American
businesses about threats. “It’s a give-and-take
of intelligence,” says Snyder, “and often
we have better information than the government, so it’s
very collaborative.”
The same relationships are in place domestically involving
the Transportation Security Administration (TSA), the
FBI, and the U.S. Departments of Homeland Security,
Energy, Transportation and others. Says Reese, “Such
links are critical in the pipeline security business.
You have such high interdependence with the upstream
and downstream segments, and with various electric utilities
to keep the product moving safely and continuously through
the pipelines. So to do my job correctly, we have to
partner with those folks. And the same holds true, of
course, for our relationship with government agencies
at all levels. You realize quickly what an interdependent
system this is.”
As the industry’s trade association, API has taken thousands of actions designed to further enhance the security of pipelines, refineries, oil and gas platforms and other facilities, and supports the Energy Information Sharing and Analysis Center (ISAC), an industry group.
“Certainly there are a number of good programs
like that out there” says Reese, “The TSA,
which serves as the point agency to work with the oil
and natural gas industry to secure pipelines, staffs
the Transportation Security Operations Center (TSOC).
“For the pipeline industry, government programs
like this offer a very attractive, no-cost solution
to strengthen a corporate security program. It’s
all about cooperation. Great progress has been made
by government and industry toward the protection of
critical infrastructure, which remains primarily privately
owned. There is still much work to do of course, but
a lot of good people are working on it.”
Investigations a Major Responsibility
But physical security makes up perhaps half of the job.
Much of the rest consists of internal analyses and investigations
and monitoring what’s going on inside a company.
“We prepare on a daily basis through a threat
analysis program to identify actionable risks that could
threaten our personnel, operations or facilities,”
according to Snyder.
“We also have a proactive investigative program
to review potential deals to ensure compliance with
the federal Foreign Corrupt Practices Act. We will vet
the principals to better understand who they really
are to make sure we are in compliance with the law.
We also conduct due-diligence to determine any conflicts
a potential business partner might have with our business
ethics. It’s a team approach. An oversight committee
looks at these deals, and we conduct investigations
at their direction.”
Snyder, for example, oversees an annual security audit compliance program, something companies are increasingly required to do by law, and prepares an annual security strategy briefing for the chairman. Other security needs can range from making sure corporate executives are shielded from someone with an ax to grind getting into their offices to providing special event security such as for the annual shareholders meeting.
No Typical “Day in the Life”
“I don’t really have a typical day,”
says Snyder. “I travel a minimum of 100,000 miles
a year and sometimes more than twice as many. I think
I had 170,000 air miles last year—on just one
carrier.”
Often his day will begin with a series of phone calls
to his far-flung managers, even before Snyder leaves
home. “Were there developments in Algeria overnight?
Any new challenges from the Niger Delta? How might it
impact on safety or production? I typically hold a worldwide
security staff meeting once a week, but scheduling isn’t
easy given the time zones!”
A key component of Snyder’s operation is ConocoPhillips’ around-the-clock security response center in Houston, Texas. “If there’s a major event, the center will make the notifications to enable the company to respond regardless of whether it’s a spill, a serious injury, a significant production disruption or even an attack. I can get a lot of calls at 2 or 3 in the morning!”
At Colonial, Reese also oversees security of a command center and reports a lot of variety in his far-reaching role. “I might spend a portion of my day on physical security,
talking with management at a field location. I might be on the phone with them or a vendor dealing with lighting, camera or other physical security issues, and handling the associated paperwork for acquisition and/or maintenance. Employee pre-employment verification is another area of crucial importance. Background checks and pre-employment screening are preventative areas where security professionals often partner with Human Resources to help proactively reduce the likelihood of introducing a risk to the organization by hiring undesirably. I also make sure our contractors remain focused on doing all that they can in this regard.
“I recently met with the legal group on issues we are working on collectively. I might
be involved with an internal investigation into theft or some other impropriety. I travel about 40 percent of the time, attending government meetings, participating on the API Security Committee, meeting with other safety and security managers and completing field audits and meeting with our owners on benchmarking initiatives.
“We do in-depth incident analysis for even ‘near-misses’ since we have committed to a lessons-learned environment. My job also includes supporting the employees in the field, so it’s also staying abreast of what challenges and successes they have. We get involved with writing policy, revising security plans and doing audits. So you’re in the airport a lot, on the phone and BlackBerry a lot, in the field a lot—it does not end!”says Reese.
Snyder is the current chairman of the API Security Committee, which developed a recommended methodology used by all the major oil companies (not just API members) to conduct security assessments of their facilities to identify gaps. “It’s a great baseline for the work that we do. It also allows us to make sure we’re in compliance with all the governmental requirements. API should be justifiably proud of the work that it did.” API has also published standards for securely monitoring the movement of oil through pipelines.
Snyder’s role also brings him to Washington for meetings with federal officials “to help them better understand our industry and to help ensure that governmental regulations positively impact the security of the energy industry.”
Magic vs. Tragic
Because he travels frequently to high-risk locations,
Snyder has had some close calls. For example, on the
same day he was scheduled to review security at a facility
operated by another international oil company in the
Niger Delta, some 25 to 30 heavily armed militants attacked
it. During a subsequent visit to Nigeria to assess security
at another facility operated by the same firm, Nigerian
militants attacked that location. While traveling to
Qatar, normally a very safe and secure country, a bomb
went off at an English-language playhouse in Doha. And
a bomb was exploded at the Australian Embassy in Jakarta
when Snyder was traveling to Indonesia to assess security.
Snyder insists that he was never in danger, but says
that one company operations manager jokingly offered
to bribe him to “stay far away from my business
unit!”
Snyder and Reese both report a huge degree of professional enjoyment and satisfaction. “Because the safety of our personnel is on the line, you can’t phone it in,” says Snyder, “but I like what I do in part because it is such a diverse job. One day you can be speaking with an assistant secretary of Homeland Security regarding the need to screen refinery turnaround workers and the next, assessing the security of a remote gas plant in the rain forest of Sumatra. For me, that’s very interesting.”
Reese agrees: “Feeling as though you are making a difference is extremely rewarding. Some days are magic and some days are tragic. I skip out of here sometimes, and sometimes I go out rubbing my temples, but I always manage to enjoy the relationships with the many quality employees of Colonial, without which the security mission could not be fully accomplished. It’s an all-encompassing job, not for those who want to punch the clock. You live it. It can keep you awake at night, but I want to be part of it.” |
