Today the DHS Infrastructure Security Compliance Division (ISCD) posted a link to the CFATS Knowledge Center providing some additional guidance on how ISCD looks at cybersecurity in the site security plans (SSP) for facilities in the Chemical Facility Anti-Terrorism Standards (CFATS) program. This is supplemental information to that found in Risk-Based Performance Standard (RBPS) 8 of the RBPS Guidance Document.
Since the CFATS program is a risk-based security program, ISCD is really only interested in cybersecurity as it relates to the security of the DHS chemicals of interest (COI) that are responsible for the facility being covered by the CFATS program. Specifically, the guidance notes that ISCD is looking at cyber systems that:
• Contain business or personal information that, if exploited, could result in the theft, diversion, or sabotage of a COI;
• Are connected to other systems that manage physical processes that contain a COI; or
• Monitor and/or control physical processes that contain a COI.
The new document provides a brief overview of the types of activities that ISCD is looking to see in facility SSPs related to three specific types of cyber systems:
• Critical business systems;
• Critical physical security systems; and
• Critical control systems.
As with all ISCD guidance, there is very little detail in this document. This is because of Congressional limitations on the ability of DHS to specify security measures under the CFATS program. Once a facility has an approved SSP, however, the measures described in the SSP are specifically enforceable by ISCD.