One of the many complaints about attempting to regulate cybersecurity in critical infrastructure is that any attempt to mandate security procedures will, because of the rapid state of change in cybersecurity, result in outdated standards being applied as malware continues to evolve; making the regulations counterproductive. This has led to many (myself included) recommending that any cybersecurity regulatory scheme must be focused on out comes rather than specifying security measures. There is currently only one major security regulatory program that is based upon this concept, the Chemical Facility Anti-Terrorism Standards (CFATS) program. Thus an analysis of the successes and problems of the CFATS program would be important for an extension of that regulatory scheme into the cybersecurity realm.
The CFATS program was established by Congress as an add-on the 2007 DHS spending bill (PL 109-295). Section 550 of that bill required DHS to establish “risk-based performance standards for security of chemical facilities and requiring vulnerability assessments and the development and implementation of site security plans for chemical facilities”.
A key provision of that section was that DHS was prohibited from disapproving “a site security plan submitted under this section based on the presence or absence of a particular security measure”. This provision resulted in DHS developing their Risk Based Performance Standard guidance document. This document provided expected outcomes that DHS would use to evaluate the eighteen performance standards (outlined in 6 CFR 27.230 that would have to be addressed in a covered facility’s site security plan.
The guidance document provided a brief overview of each of the performance standards, including a discussion of the considerations that might have to be considered in selecting security measures and a brief outline of some of the types of security measures that could be employed. At the end of each performance standard discussion was a list of the metrics that the DHS Infrastructure Security Compliance Division (ISCD) would be using to evaluate the site security plan compliance with the RPBS.
For example, the metrics for RBPS 8, Cybersecurity, included:
• Cybersecurity policies;
• Access control;
• Personnel security;
• Awareness and training;
• Disaster recovery and business continuity;
• System development and acquisition;
• Configuration management; and
Most of these metrics contained sub-metrics and a list of performance standards for each based upon the tier ranking of the facility. The tier ranking was a measure of risk assessment conducted by ISCD based upon data provided by the facility in a two-part risk assessment process. The first part was based upon the data provided in the facilities Top Screen submission. All non-exempted facilities in the United States that had chemical inventories that contained one or more of a list of 300+ DHS chemicals of interest (COI) at or above the screening threshold quantity (STQ) set for that COI were required to submit an on-line Top Screen.
ISCD took the information provided in the initial 40,000+ Top Screens to determine which facilities seemed to present a high-risk of terrorist attack. Those 7,000+ high-risk facilities were then directed to submit additional information via the on-line Security Vulnerability Assessment (SVA) tool. That information was then used to confirm the high-risk assessment and to further rank the risk of those facilities by placing them into one of four Tier; Tier 1 being the highest risk tier.
Site Security Program Negotiations
Once a facility receives its Tier ranking notification from ISCD it is then required to prepare and submit its site security plan (SSP) via another on-line tool. Since there is an expected inclination for facilities to minimize their spending on security (an expense with no expected financial return) and the guidance document is deliberately vague as to what security measures are required it is unlikely (ISCD has published no statistics on this) that any facility submitted an initial SSP that met the RBPS metrics is all aspects according to ISCD evaluators.
During the early days of the program ISCD took the stance that the Congressional prohibition against specifying security measures meant that ISCD could not tell facilities what they had to do to modify their SSP plan to ensure that it met all metrics. The most they could do was tell them what metrics had not been met. As the program advanced and Chemical Security Inspectors (CSI) had more experience with facilities having their SSPs authorized and later approved, many of the CSI were able to tell facility security managers what measures had been approved by ISCD at other facilities in similar situations.
As a practical matter this has meant that the process of getting an SSP approved has been a series of negotiations between facilities and DHS. The facility proposes an SSP and ISCD tells them where it is deficient. The facility then modifies the SSP and it is re-evaluated by ISCD. Some number of iterations of this process are required until the facility and ISCD can come to an agreement as to what security measures are necessary for that facility. Those security measures then become the enforceable CFATS requirements for that facility.
While the on-line submission of the SSP allows for some automated analysis there are still a large number of man-hours needed to conduct the evaluation of each submission. Additionally, ISCD has been adamant that their CSI would be maximally available to facilities during the SSP approval process to help guide facilities through the approval process.
These manpower requirements were partially responsible for the lengthy delays that ISCD experienced during the early approval process. As the CSI became more experienced in the program, lower risk facilities were being evaluated, and ISCD instituted various management process improvements, the approval process was sped up significantly. But, even with these improvements, the SSP approval process is time intensive.
For anyone that is looking to the CFATS program as a model for creating a security related regulatory program that is both enforceable and does not specify any specific security measures in the regulations there are some very specific lessons to be drawn from an analysis of the CFATS program. The first and foremost is that a regulatory agency can negotiate facility specific security measures as long as:
• A strong, well-written set of performance standards is used as the basis of negotiation;
• There is a commitment on both the part of both regulated community and the regulators to work together to ensure the security of the regulated community; and
• The regulatory agency, and their political overseers, are willing to allow for a reasonable time frame for the negotiation process to proceed.
The second lesson that should be taken from the CFATS process is that for this process to be successful a relatively large and active inspection force is required to give the regulatory reviewers an accurate view of the on-the-ground situation at each regulated facility. The CFATS program has shown that there may be a need for multiple site visits by the inspection force to properly understand both the security plan and security capabilities of the regulated facility.
Finally, there must be a determined attempt to limit the size of the covered community to keep the size of the inspection force to a size that can be supported within the budget of the regulatory agency. CFATS did this by limiting the universe of potential covered facilities by limiting the number of chemicals that would drive the initial data submission. They then further reduced that number by doing a risk analysis to isolate just the highest risk facilities. Finally, they provided a means whereby a facility could ‘opt out’ of the CFATS program by reducing or eliminating their inventories of COI. Their initial universe of about 47,000 facilities was reduced to about 7,000 by risk analysis and they are now down to 2,984 covered facilities through the opting out process.