This is part of a continuing series of blog posts on the
newly released Expedited Approval Program (EAP)
guidance
document for Tier 3 and Tier 4 facilities under the Chemical Facility
Anti-Terrorism Standards (CFATS) program. Other posts in the series are:
In the next couple of posts I’ll be looking at some of the
actual security requirements outlined in the new EAP. As a reminder, all of
these requirements are based upon the standards set forth in the
Risk-Based
Performance Standards (RBPS) guidance manual issued six years ago. That
document describes considerations to be used in selecting appropriate security
measures to fulfill each of the 18 standards outlined in
6
CFR 27.230.
I am going to start with the requirements in the EAP for
RBPS #8, Cybersecurity. The main reason that I am starting here, rather than at
the more conventional starting point, it that I am also interested in how ISCD
is dealing with some of the complicated issues of cybersecurity and the EAP
provides a unique opportunity to look at how ISCD would like to see
cybersecurity implemented in high-risk chemical facilities.
RBPS #8 Requirements
The regulatory requirements for cybersecurity are spelled
out in §27.230(8); Deter
cyber sabotage, including by preventing unauthorized onsite or remote access to
critical process controls, critical business system, and other sensitive
computerized systems. The generic discussion of how this can be done starts on
page 71 of the RBPS guidance and the metrics for evaluating security measures
can be found starting on page 78. In the EAP guidance document the discussion
of cybersecurity measures starts on page 40 and the cybersecurity portion of
the site security plan (SSP) template starts on page 82.
The first requirement is to establish what computer systems
are covered by the SSP. It must always be remembered that the SSP is focused on
protecting the DHS chemicals-of-interest (COI) found on the site. This means
that the facility is required to list all of the cyber assets that:
∙ Monitor and/or control physical processes that
contain a COI;
∙ Are connected to other systems
that manage physical processes that contain a COI; or
∙ Contain business or personal
information that, if exploited, could result in the theft, diversion, or
sabotage of a COI
Computer systems that deal with security functions like
access control, surveillance and alarms are not considered under this RBPS unless
they are connected to a computer system described above. They are considered during
the discussion of their related security measures.
Cybersecurity Policies
The next area of the cybersecurity portion of the SSP deals
with the establishment of cybersecurity policies. These policies must:
∙ Be documented, distributed and
maintained with a management of change policy;
∙ Include the designation of a trained
and qualified individual(s) to manage cyber security for the facility;
∙ Must require account access
control to critical cyber systems utilizing the least privilege concept;
∙ Maintain access control lists,
and ensure that accounts with access to critical/sensitive information or
processes are modified, deleted, or de-activated in a timely manner;
∙ Establish password management
protocols to ensure all default passwords have been changed (where possible),
enforce password structures, and implement physical controls for cyber systems
where changing default passwords is not technically feasible;
∙ Require physical access to
critical cyber assets and media;
∙ Provides for cyber security
training to all employees that work with critical cyber assets; and
∙ Require that the facility will
report significant cyber incidents to senior management and DHS Industrial
Control Systems Cyber Emergency Response Team (ICS-CERT).
Each of the bullet points listed above has its own check-off
box on the EAP SSP template. There are no requirements to provide any
additional information to ISCD for this area of the SSP. In general this will
be true for almost all of the EAP SSP documentation. This will be the last time
that I mention this check-off technique, but I will mention where the EAP
requires additional information be provided to ISCD beyond the simple check the
box.
There is a little more detail in the discussion portion of
the EAP guidance on the topics listed above. There are only two that have any
additional information of significance; the training requirements for the
cybersecurity officer (pg 42) and a discussion about the documentation
supporting the requirement to report significant cybersecurity incidents to
ICS-CERT (pg 43).
Remote Access
Next there is a very short section on remote access to the
cybersecurity assets. It requires that:
∙ The facility defines allowable
remote access and rules of behavior.
In the detailed discussion there is also a requirement to
capture all remote access activities on system logs.
Control Systems
The next section of the cybersecurity portion of the EAP SSP
deals with control systems. For facilities that do not have control systems
that impact the security of the COI there is a single box to check-off
explaining that fact. The Control System section of the SSP reports that the
facility:
∙ Conducts audits that measure
compliance with the cyber security policies, plans, and procedures and results
are reported to senior management;
∙ Documents the business need and
network/system architecture for all cyber assets (systems, applications, services,
and external connections);
∙ Disables all unnecessary system
elements;
∙ Integrates cyber security into
the system lifecycle for all critical cyber assets;
∙ Ensures that service providers
and other third parties with responsibilities for cyber systems have
appropriate personnel security procedures/practices in place;
∙ Identifies and documents systems
boundaries and implements security controls to limit access across those
boundaries:
∙ Monitors the critical networks in
real-time for unauthorized or malicious access and alerts, recognizes and logs
events and incidents;
∙ Has a defined incident response
system for cyber incidents;
∙ Has backup power for all critical
cyber systems; and
∙ Has continuity of operations
plans, IT contingency plans, and/or disaster recovery plans.
Additional requirements documented in the discussion section
include:
∙ Audits must be conducted at least
every two years;
∙ Additions to cyber systems must
be pre-approved by management;
∙ An intrusion detection system
must be used.
∙ Cyber incident response must
include requirement to contact a person or agency that “is trained to identify,
contain, and resolve a cyber intrusion, denial-of-service attack, virus, worm
attack, or other cyber incident” (pg 46).
Commentary
It is clear that the EAP guidance for cyber security is
pretty much taken directly from the metrics portion of the RBPS guidance manual.
As such the EAP does not provide any more specificity than does the RBPS; it
does not tell facilities what cybersecurity measures must be put into place.
There are a couple of metrics from the RBPS guidance that
are missing from the EAP program. They include:
8.2.1 The facility has identified
and documented systems boundaries (i.e., the electronic perimeter) and has
implemented security controls to limit access across those boundaries;
8.3.3 IT management, systems
administration, and IT security duties are not performed by the same
individual. In instances where this is not feasible, appropriate compensating
security controls (e.g., administrative controls, such as review and oversight)
have been implemented;
8.5.1 The facility has implemented
cyber security controls to prevent malicious code from exploiting critical
cyber systems, and it applies appropriate software security patches and updates
to systems as soon as possible given critical operational and testing
requirements;
8.5.5 Facilities with control
systems that have SISs have configured the SIS so that they have no unsecured
remote access and cannot be compromised through direct connections to the
systems managing the processes they monitor. (For Control Systems Only)
There is no explanation given as to why these metrics do not
apply to facilities submitting EAP site security plans.
For cybersecurity at least, what the EAP does is to allow a
facility to take its best guess at what security measures must be put into
place to meet these rather vague requirements and then certify that it has done
so. As long as all of the check boxes are marked, DHS will approve the SSP. The
process that now takes place during the SSP authorization and approval process
will simply be transferred to compliance inspection. The difference will be
that DHS will then have the authority to tell the facility what security
measures must be put into place to correct any ‘facial deficiencies’ in the
implementation of the site security plan {6 USC 622(c)(4)(G)(ii)(I)(aa)}.
A quick look at the RBPS sections of the EAP look to provide
a great more detail into what is required of a facility site security plan (I’ll
go into some of the details in later
posts). What is different about cybersecurity is that there are fewer
established standards that security professionals generally agree are effective
at deterring, detecting and delaying a terrorist attack.
I was hoping that ISCD was going to take a better shot at
establishing such standards, but it was patently unfair to put that load on
this particular organization. While there are some people with computer and
even control systems backgrounds within the ranks of the chemical security
inspectors, this is patently not a cybersecurity standards setting organization
and certainly not one with the control system security expertise to establish
ICS standards.
Given the 180 day standard establishment deadline set by
Congress, it was foolish to think that ISCD could accomplish more in the
cybersecurity realm. They will have to continue on making the system-by-system
judgement to determine if the security measures in place meet the vague
guidelines. Hopefully, that will be the only part of the EAP guidelines that
leaves so much open to interpretation.