A key part of any vulnerability assessment is the identification of those parts of the facility that must be protected. In a perfect world everything within the perimeter fence would be protected against any potential attack. In the real world only the most critical parts of the facility can receive the high levels of protection necessary to prevent a successful terrorist attack. In this blog we will look at the electronic systems at chemical facilities to see what requires that protection.
FERC’s New Electronic Security Rules
Back in January the Federal Energy Regulatory Commission published the Final Rule on their “Mandatory Reliability Standards for Critical Infrastructure Protection” in the Federal Register. Any one that thinks that providing security for electronic control systems is simple needs to read this 185 page document. This document is a discussion of their proposed rule, industry comments on that rule and the commission’s final decisions on the issues covered. The eight Cyber Security Standards are not listed in the rule.
The requirements set forth in this rule were designed to protect the electrical power distribution systems of this country from terrorist attacks. As such the requirements are not necessarily directly translatable to security procedures for control systems at chemical facilities. This rule can, however, inform the discussion about how to protect chemical facilities from terrorist attack through their control systems.
There are three definitions that are given in para 234 of the rule (page 7392) that help to set the background for the discussion of cyber security”
· Cyber Assets – “programmable electronic devices and communication networks including hardware, software, and data”
· Critical Cyber Assets – “cyber assets essential to the reliable operation of critical assets”
· Critical Assets – “facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System”
Only the last definition needs to be modified to make all three applicable to chemical facilities. Instead of reference back to the ‘Bulk Electric System’ we can make this apply to CFATS rules by substituting: “… would allow for the release, theft/diversion or contamination of a chemical of interest listed in Appendix A to 6 CFR part 27.”
There is one other term that crops up repeatedly in the FERC rule; “responsible entity” and it refers to “Bulk-Power System users, owners, and operators” (para 7, page 7369). Again we can modify that to refer to “owners and operators of high-risk chemical facilities” to translate the FERC rule discussion into terms more applicable to CFATS.
Define Risk-Based Assessment Methodology
The first thing that a responsible entity is required to do (para 237) under these new reliability standards is to establish a methodology for determining whatassets are critical assets. Much as DHS has recognized that there is no set of security protocols that apply to every chemical facility, FERC realizes that the wide variety of systems in the Bulk Electric System will require a variety of assessment methodologies.
One part of this standard lists the types of things that the methodology must look at in the assessment. Other than ‘control rooms’ the assets listed do not have direct counterparts in chemical facilities. Other things that probably should be considered would be servers, power supplies and stand alone safety systems.
Any device that controls an operation that could result in the release, theft/diversion or contamination of a listed chemical of interest should be reviewed in the assessment. This is not just limited to valves that control the movement of that chemical within the facility but such things as temperature and pressure controls that could cause the release through the failure of one or more containment systems.
There was also some considerable discussion about data as a cyber asset. In the end it depends on how that data fits into the definitions given above. The argument could certainly be made that safety limit data could certainly, if deleted or corrupted, “allow for a release” and thus be considered a critical asset.
Misuse of Control Systems
There was one item that FERC did not think received enough emphasis (para 274, pg 7396) in the original version of the standards on the assessment methodology. While they realized that most people would look at control systems they wanted to insure that the misuse of control systems was considered in the assessment. They wanted entities to take a hard look at the consequences of the deliberate misuse of control systems to damage the system.
A special case noted by commission was where a control system controlled multiple assets (para 281 page 7396). Where the individual assets under that control might not be critical in nature, the failure or loss of control for a combination of assets could be critical. During safety reviews in chemical facilities the simultaneous failure of multiple safety systems is usually ignored due to its low probability. When a single control system can affect multiple safety systems, that low probability is no longer a consideration in a security assessment.
Cyber Security and the SVA
The FERC document deals solely with cyber security. The SVA required under CFATS includes the cyber security assessment as just one part of the risk assessment process. But the identification of critical cyber assets is an important part of the SVA process, one that may be too easily overlooked.