CSF - Control System Security and CFATS

Yesterday I wrote a post describing a new process control system security program developed for the Water Sector. The program is broadly based upon the recently published NIST Cybersecurity Framework (CSF). Since large portions of the Water Sector are federally regulated (usually under State supervision) it was to be expected that an attempt would be made to incorporate the CSF into the loose regulatory scheme for drinking water security.

CFATS and CSF

Chemical facilities covered under the CFATS program might also be expected to face the inclusion of a CSF based cybersecurity program under the terms of §10 of the President’s Executive Order on Improving Critical Infrastructure Cybersecurity (EO 13636). Risk Based Performance Standard (RBPS # 8) of the CFATS regulations already {6 CFR §27.230(a)(8)} governs cybersecurity at covered facilities and requires that those facilities:

Deter cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS), critical business system, and other sensitive computerized systems;

Thus it would appear that DHS through the Infrastructure Security Compliance Division (ISCD) of the National Protection and Programs Directorate (NPPD) has the requisite “clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure.

Furthermore, the non-directive nature and the lack of specificity found in the CSF would mesh well with the CFATS program’s congressional mandate to allow covered facilities the widest latitude in developing security procedures and processes that would achieve the broad requirements of the RBPS.

The CFATS program already has an RBPS Guidance document that was adapted through a formal publication and public comment process. It provides very-broad, non-specific guidance on all 18 of the separate RBPS that govern the CFATS security processes. It contains 9 pages (pgs 71 – 81) of broadly written guidance on what the facilities site security plan must cover with respect to cyber security. Those pages includes nearly four pages of vaguely worded metrics that may be keyed to the (Risk) Tier ranking of the facility. An example is given below.

Metric 8.2.5 – Password Management - The facility has documented and enforces authentication methods (including password structures) for all administrative and user accounts. Additionally, the facility changes all default passwords and ensures that default passwords for new software, hardware, etc., are changed upon installation. In instances where changing default passwords is not technically feasible (e.g., a control system with a hard-coded password), the facility has implemented appropriate compensating security controls (e.g., physical controls).

Appendix C (pgs 162 – 173) includes another discussion of cybersecurity and how it impacts some of the other RBPS. That discussion also includes a listing of cybersecurity references similar to those found in the CSF. The RBPS reference list is not keyed to allow the facility to determine what areas of what standard apply to which parts of their cybersecurity program.

CSF Style Cybersecurity Guidance

A cybersecurity guidance tool like that developed for the Water Sector would fit in very nicely with the CFATS general security program. It would provide a general discussion of the various details that should make up a cybersecurity program and provide specific references that could be expected to provide more detailed information about that specific portion of the program.

The CFATS cybersecurity program is targeted not so much at protecting information as it is designed to protect access to and control of chemicals. Thus most of the systems covered are control systems, though some of the order placement and tracking systems could be a CFATS concern if the facility were regularly shipping covered DHS chemicals of interest (COI). Additionally any automated security systems, including video detection, security alarms and chemical release mitigation systems would also require protection under the CFATS site security plan.

The CFATS program already has a series of on-line tools that it uses in administering the evaluation of the implementation of the site security plans as well as the administrative aspects of the program. This Chemical Security Assessment Tool, CSAT, could easily be expanded to include a cybersecurity tool.

CFATS Cybersecurity Framework Tool

The Cybersecurity Framework Tool (CSFT) would encompass three closely related cybersecurity tasks:

• Define and catalogue those components of the facility computer based systems that would have direct impacts on the security of the chemicals of interest made, used or stored at the facility;

• Provide a reference based description of the security measures that would be necessary to protect those cyber assets; and

• Provide a method for recording the security activities that the facility has taken and plans to take to protect the security of their chemical security related cyber assets.

CSFT and the Security Vulnerability Assessment

ISCD makes a preliminary determination that a facility is at high risk of terrorist attack based upon the initial information provided in the Top Screen, a data submission tool that provides DHS information about the types and quantities of DHS chemicals of interest (COI) stored, used or produced on site and general geophysical information about the facility. Once that preliminary determination is made, ISCD directs the facility to complete a security vulnerability assessment (SVA).

The first portion of the CSFT would become a portion of that SVA. The facility would provide a brief description of the major components of its chemical and security related cyber systems. The tool would be constructed in a similar manner to the way the current SVA tool is designed with a series of questions with multiple choice types of answers and a limited number of fill in the blank responses.

For facilities that had release hazard COI (chemicals that if released on site in a terrorist attack could be expected to have serious off-site consequences) would be required to list the types of computer or electronic systems used to monitor or control the movement or physical status of those release COI on site. These would be primarily industrial control systems, but could also include automated safety systems and release detection systems.

For facilities that had theft/diversion hazard COI (chemicals that could be used to make improvised explosive devices (IED) or chemical weapons (CW) would be required to list the types of computer or electronic systems used to control the inventory and shipping of those chemicals. This would include any security systems used to control access to those chemicals.

All facilities would also be required to provide information about the electronic security systems that were used to monitor the facility or key area perimeters or control facility or key area access.

Once the major cyber components were identified there would be a series of questions about each of those components. Those questions would be designed to solicit the information necessary to determine the Use Cases similar to those shown in Table 3-1 of the AWWAC Process Control System Security Guidance for the Water Sector. Those use cases would be used to determine the level of cybersecurity risk at that the facility related to the electronic systems used to control or protect the COI at the facility.

More to Come

This post has gotten a little bit longer than I like, so this seems to be a reasonable stopping point. In future posts in this series I’ll look at how the CSFT can be used as part of the site security plan development, authorization and approval processes for CFATS facilities. I’ll also discuss how DHS can use the provided information to provide specific cybersecurity support to the facility.