Continuing with the analysis of the FERC Reliability Standards and how they might help chemical facilities secure their electronic control systems, we look at the third standard, Personnel and Training. Again, the FERC standards are written for electrical utility systems not chemical facilities so we need to read the Final Rule discussion carefully to see what might fit into chemical facility systems.
For previous blogs in this series see:
The Personnel and Training Standard “requires that personnel having authorized cyber access or unescorted physical access to critical cyber assets must have an appropriate level of personnel risk assessment, training and security awareness.” (para 413 page 7409) In general, this parallels the personnel surety requirements of the Risk Based Performance Standards found in CFATS (6 CFR Section 27.230).
The Commission explains the importance of training this way:
“…training is integral to the protection of critical cyber assets, and that allowing personnel access to critical cyber assets prior to receiving training increases the vulnerability of and risk to such assets.” (para 416, page 7409)
The idea is that unless a person is adequately trained, they have no way of knowing how to protect the critical cyber assets or even which assets are critical. To insure that personnel receive this training ahead of being allowed access, the Commission recommends that all personnel receive a minimum core training. This core training would cover the importance of protecting critical cyber assets and potential threats to those assets. Personnel would also be told how to report suspicious activities associated with those assets.
In high-risk chemical facilities this core cyber awareness could be included in general security awareness training that should be given to all employees. Again there should be training directed to employees that are given physical or electronic access to critical cyber assets consistent with their level of access. Again, how to spot and report suspicious activity should be included in all security training at all levels.
Personnel Risk Assessment
The Personnel and Training standard requires that each responsible entity “responsible entity to have a documented personnel risk assessment program.” (para 436 page 7411) This policy should specify who is allowed unaccompanied physical access to critical cyber assets or electronic access to those systems. As in all real world applications of policies and procedures there should be provisions for providing emergency access to these assets.
A critical part of this policy is the requirement for personnel to have a completed criminal background check completed before being allowed routine access (para 443 page 7412). The Commission noted that it would be reasonable to allow a 30-day exception to current employees and vendors who were hired before the requirement was put into place.
The Commission has not yet made a determination of what background check information would constitute grounds for denying access (para 446, page 7412). The current CFAT rules seem to take the same stand that it is a management decision, possibly made on a case by case basis, as to what information would be disqualifying. A prudent approach for the risk assessment policy is to specify who has the authority to make that determination.
Cyber and Physical Access
The standard requires “the responsible entity to maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to critical cyber assets.” (para 447 page 7412) The purpose is to allow the people on the ground to know who has approved access. This would seem to require that copies of these lists are available at locations where the access is possible.
Along with the requirement to have such lists is the requirement to keep them up to date. Obviously, when a person is terminated for cause, their name should be removed from the access list in a timely manner (less than 24 hours). Less obviously, a person whose duties no longer require unaccompanied physical access or electronic access to critical cyber assets also need to have their name removed from those lists.
A possible way to deal with this not covered in the Reliability Standards is to use a badge system instead of the lists. Most facilities are now using badges to identify employees, contractors and visitor. A color-coded badge could be used to identify what level of access the wearer is authorized. An example is given below
Green – Unaccompanied Access
Yellow – Accompanied Access
Red – No Access
A – All areas of the facility
B – Chemical Storage Areas (numbers for specific areas)
C – Labs (numbers for specific labs)
D – Maintenance Areas (numbers for specific areas)
E – Electronics (numbers for specific areas)
F – Manufacturing Areas (numbers for specific areas)
Employee and Contractor badges would include a picture and then large letters in the appropriate color to designate areas of authorized access. Visitors would be given badges with Yellow letters designating those areas of the plant that they may enter when accompanied by a person with appropriate access. Using such a system would allow anyone in the facility to see if a person had the appropriate level of access to the specific area.
As mentioned in an earlier blog any procedure or policy is only as strong as its enforcement. It is easy to get complacent and employees have a natural tendency to take affront at being denied to access to areas in the workplace. Management must be proactive in explaining the reasons for limiting access to areas and assets. It must also fairly and routinely enforce those access limitations.