Saturday, September 23, 2017

CSAT 2.0 From the Field

The nice thing about writing this blog is that periodically I get a chance to talk to people in the field that are responsible for implementing the Chemical Facility Anti-Terrorism Standards (CFATS) program. I had one of those conversations today with a long-time reader who is a contractor helping a new CFATS covered facility that was caught up by CSAT 2.0. As is usual these conversations are tempered by having to adhere to Chemical-terrorism Vulnerability Information (CVI) rules, so specifics could not be mentioned. Still, there is some information worth sharing.

CSAT 2.0 and MTSA


A lot of facilities are being introduced to the CFATS program by recent changes in the Chemical Security Assessment Tool (CSAT 2.0) and the new risk assessment process that was concurrently introduced by the Infrastructure Security Compliance Division (ISCD) at DHS. This was not covered in my discussions today, but I am hearing indications that some of these new facilities used to feel that they were exempt from CFATS coverage because they were covered by the Coast Guard’s Maritime Transportation Security Act (MTSA) program. The notification letters that ISCD started sending out last fall make it clear that only those portions of the facility covered by MTSA requirements are exempt from the CFATS program requirements.

It seems that a number of facilities took the allowable course of restricting their MTSA footprint to the immediate shore side portion of their facilities. For many larger facilities, this left major portions of the facility uncovered by federal security regulations. ISCD made it clear that those portions of the facility not covered by MTSA were subject to the CFATS Top Screen reporting requirements and potentially full coverage under the CFATS program depending on the DHS risk assessment based upon Top Screen submission data.

After the Tiering Letter


The conversation today addressed some of the lessons learned at a CSAT 2.0 facility that recently received their tiering letter (the official notification from CSAT that the Top Screen submission and subsequent risk assessment had allowed ISCD to determine that the facility is at ‘high-risk’ for potential terrorist attack and was therefore subsequently placed in the CFATS program.

After the inevitable “oh, no… really?” conversation the facility requested a compliance assistance inspection as they began work on prepping for the security vulnerability assessment (SVA) and site security plan (SSP) submissions. Shortly thereafter a DHS chemical security inspector (I still hate the inevitable ‘CSI’ fallout) showed up to take a look at the facility and the work they had already done to make it secure. This is one of those rare cases when you can sigh with relief instead of cringe when the guy says: “I’m from the government and I’m here to help you.”

The initial good news was that because of a detailed DOT Hazmat Security Plan (49 CFR 172.802) the facility had a good head start on fulfilling the requirements of the CFATS Risk-Based Performance Standards (RBPS; 6 CFR 27.230) as explained in the RPBS Guidance document. Additionally, since the CSI had already seen this type of facility before, he was able to provide a template that could probably be used by the facility to submit an alternative security plan (ASP, not the ACC/NACD ASP that I have previously discussed) instead of submitting the cumbersome SSP found in the CSAT tool. (Note: I’m trying to see if I can get hold of a link to that new template.)

Cooperative Enforcement


One of the nice parts of the CFATS program is that ISCD really is working with facilities to get site security plans formalized. To understand why, you just need to look at the most basic restriction that ISCD is operating under; they are forbidden by Congress {6 USC 622(c)(1)(B)(i)} from specifying security measures that facilities must employ.

In practice, this means that the approval of the SSP by ISCD is really a negotiating process. The facility proposes a set of security measures and ISCD determines whether or not those measures meet the RBPS criteria for the Tier Level to which the facility is assigned. ISCD then explains any deficiencies and the facility attempts to remedy them. In the early days of the program this could end up being a rather lengthy process. Fortunately, the CSI now have enough experience with facility security plans, so that they can provide suggestions about what has worked at other facilities.

Once the SSP is approved by ISCD the relationship changes to something more approaching a typical agency private sector relationship as the SSP becomes an enforceable set of standards against which compliance can be measured. I suspect, however, that the relationship will still have more cooperative overtones than with most government agencies because of the relatively stable assignment of CSI to responsibility for a small number of facilities. This allows for a better understanding of facility issues and a closer working relationship.

Cybersecurity


One thing that this new facility was told during their compliance assistance visit was to make sure that they took a good hard look at their cybersecurity planning. As one could expect, ISCD is taking its cue from much higher up the ladder at DHS in focusing on cybersecurity issues.

I reminded my caller that the facility has a relatively large degree of discretion when it defines the portion of the facility which is covered by the CFATS program. For facilities with release risk chemicals of interest (COI) there may be no need to include business IT systems in the CFATS perimeter if they have no effect on the security of the COI at the facility. This is yet another good reason for carefully segmenting the different cyber-networks at a facility.

I also suggested to my reader that they take a good look at using the Cybersecurity Evaluation Tool (CSET) to help evaluate the security of their control systems. The newest versions of this tool from ICS-CERT includes specific CFATS related questions that can be used to help formulate the cybersecurity portion of SSP. The use of CSET does not provide a free pass on the RPBS 8 (cybersecurity) requirements, but it can be a helpful tool.

Other Conversations


I am always interested in talking about chemical facility security with just about anyone involved in the field. My contact information is available on my blog or LinkedIn. I do have a day job with a variable schedule that sometimes makes it challenging to schedule a phone call, but I am certainly willing to make the effort.

No comments:

 
/* Use this with templates/template-twocol.html */