CFATS Reauthorization – Cybersecurity

The current authorization for the Chemical Facility Anti-Terrorism Standards (CFATS) program expires on December 18^th, 2018. Sometime within the next year, Congress will most likely be taking up some form of reauthorization of the program. While we might expect to see simple inclusion of extension language in the DHS spending bill, it would be more efficient if Congress took up a standalone reauthorization bill that updated the program. This is the first in a series of posts that looks at what I would like to see included in such a bill. It should come as no surprise to readers of this blog that I would like to see cybersecurity addressed in some detail.

Definitions

I might as well start out this discussion by providing realistic definitions of cybersecurity that address the differences between security in information technology and operations (control systems) technology. Readers of this blog will recognize that these definitions have been proposed here in other contexts.

6 USC 621 is amended by adding at the end:

(15) The term ‘information system’ has the meaning given the term in section 3502 of title 44;

(16) The term ‘control system’ means a discrete set of information resources, sensors, communications interfaces and physical devices organized to monitor, control and/or report on physical processes, including manufacturing, transportation, access control, and facility environmental controls;

(17) The term ‘cybersecurity risk’ means:

(A) threats to and vulnerabilities of information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

(18) The term ‘cybersecurity incident’ means an occurrence that actually, or imminently jeopardizes, without lawful authority:

(A) the integrity, confidentiality, or availability of information on an information system,

(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

(C) an information system or a control system;

Incident Reporting

There are currently no regulatory requirements for CFATS facilities to report cybersecurity incidents. The closest current regulations come is in 6 CFR 27.230(8) is a requirement to ‘deter cyber sabotage’ or the more general requirement. There is a strong suggestion in the Risk Based Performance Standards (RBPS) guidance document that {Metric 8.5.4; pg 80}: “Significant cyber incidents are reported to senior management and to the DHS’s US-CERT at www.us-cert.gov.” To date, there is no public record that any such reports have been made.

I think that this suggestion should be a requirement of the CFATS program and further strengthened. I propose that the following amendment to 6 USC 622:

(f) Cybersecurity Incident Reporting

(1) The Secretary will revise 6 CFR 27.230(15) to include requirements for the reporting of cybersecurity incidents or suspected cybersecurity incidents. Those revisions will address:

(A) Reporting cybersecurity incidents related to information systems to the DHS US-CERT or successor organization;

(B) Reporting cybersecurity incidents related to control systems to the DHS ICS-CERT or successor organization;

(C) Insuring that information provided to US-CERT or ICS-CERT in such reports will be protected under provisions outlined in 6 USC 23;

(D) Requiring US-CERT or ICS-CERT to provide copies of the final reports on such incidents to the head of the agency designated for the enforcement of the CFATS regulations. Anonymized information about such incidents will be further shared with CFATS covered facilities as deemed appropriate.

(2) The Secretary will revise 6 CFR 27.230(15) to ensure that significant cybersecurity incidents will be reported to the FBI.

Control System Vulnerabilities

There are no provisions in the current CFATS regulations or the RBPS Guidance documents that address the identification and mitigation of control system vulnerabilities. To correct that missing element of control system security I would propose the following additional amendment to 6 USC 622:

(g) Control System Vulnerabilities

(1) The Secretary will revise 6 CFR 27.230(8) to address the identification and mitigation of vulnerabilities in control system identified in facility site security plans. The revision will address requirements to:

(A) Identify critical control system components that effect the storage, use, or movement of DHS chemicals of interest identified in the facility tiering letter;

(B) Maintain a list of vulnerability reports from ICS-CERT and/or the vendor concerning those components;

(C) Conduct a risk assessment of those reported vulnerabilities; and

(D) Maintain a record of the outcome of those risk assessments that includes if/when appropriate mitigation measures were implemented.

(2) The Secretary will require ICS-CERT, or successor organization, to identify control system security advisories and alerts that could apply to chemical facilities and notify the agency responsible for the enforcement of the CFATS regulations when such advisories and alerts are published.