EAP Guidance – Cyber Security

This is part of a continuing series of blog posts on the newly released Expedited Approval Program (EAP) guidance document for Tier 3 and Tier 4 facilities under the Chemical Facility Anti-Terrorism Standards (CFATS) program. Other posts in the series are:

DHS Issues Expedited Approval Program Guidance

CFATS EAP Federal Register Notice

EAP Guidance – The Process

EAP Guidance – SSP Status

In the next couple of posts I’ll be looking at some of the actual security requirements outlined in the new EAP. As a reminder, all of these requirements are based upon the standards set forth in the Risk-Based Performance Standards (RBPS) guidance manual issued six years ago. That document describes considerations to be used in selecting appropriate security measures to fulfill each of the 18 standards outlined in 6 CFR 27.230.

I am going to start with the requirements in the EAP for RBPS #8, Cybersecurity. The main reason that I am starting here, rather than at the more conventional starting point, it that I am also interested in how ISCD is dealing with some of the complicated issues of cybersecurity and the EAP provides a unique opportunity to look at how ISCD would like to see cybersecurity implemented in high-risk chemical facilities.

RBPS #8 Requirements

The regulatory requirements for cybersecurity are spelled out in §27.230(8); Deter cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls, critical business system, and other sensitive computerized systems. The generic discussion of how this can be done starts on page 71 of the RBPS guidance and the metrics for evaluating security measures can be found starting on page 78. In the EAP guidance document the discussion of cybersecurity measures starts on page 40 and the cybersecurity portion of the site security plan (SSP) template starts on page 82.

The first requirement is to establish what computer systems are covered by the SSP. It must always be remembered that the SSP is focused on protecting the DHS chemicals-of-interest (COI) found on the site. This means that the facility is required to list all of the cyber assets that:

∙ Monitor and/or control physical processes that contain a COI;

∙ Are connected to other systems that manage physical processes that contain a COI; or

∙ Contain business or personal information that, if exploited, could result in the theft, diversion, or sabotage of a COI

Computer systems that deal with security functions like access control, surveillance and alarms are not considered under this RBPS unless they are connected to a computer system described above. They are considered during the discussion of their related security measures.

Cybersecurity Policies

The next area of the cybersecurity portion of the SSP deals with the establishment of cybersecurity policies. These policies must:

∙ Be documented, distributed and maintained with a management of change policy;

∙ Include the designation of a trained and qualified individual(s) to manage cyber security for the facility;

∙ Must require account access control to critical cyber systems utilizing the least privilege concept;

∙ Maintain access control lists, and ensure that accounts with access to critical/sensitive information or processes are modified, deleted, or de-activated in a timely manner;

∙ Establish password management protocols to ensure all default passwords have been changed (where possible), enforce password structures, and implement physical controls for cyber systems where changing default passwords is not technically feasible;

∙ Require physical access to critical cyber assets and media;

∙ Provides for cyber security training to all employees that work with critical cyber assets; and

∙ Require that the facility will report significant cyber incidents to senior management and DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

Each of the bullet points listed above has its own check-off box on the EAP SSP template. There are no requirements to provide any additional information to ISCD for this area of the SSP. In general this will be true for almost all of the EAP SSP documentation. This will be the last time that I mention this check-off technique, but I will mention where the EAP requires additional information be provided to ISCD beyond the simple check the box.

There is a little more detail in the discussion portion of the EAP guidance on the topics listed above. There are only two that have any additional information of significance; the training requirements for the cybersecurity officer (pg 42) and a discussion about the documentation supporting the requirement to report significant cybersecurity incidents to ICS-CERT (pg 43).

Remote Access

Next there is a very short section on remote access to the cybersecurity assets. It requires that:

∙ The facility defines allowable remote access and rules of behavior.

In the detailed discussion there is also a requirement to capture all remote access activities on system logs.

Control Systems

The next section of the cybersecurity portion of the EAP SSP deals with control systems. For facilities that do not have control systems that impact the security of the COI there is a single box to check-off explaining that fact. The Control System section of the SSP reports that the facility:

∙ Conducts audits that measure compliance with the cyber security policies, plans, and procedures and results are reported to senior management;

∙ Documents the business need and network/system architecture for all cyber assets (systems, applications, services, and external connections);

∙ Disables all unnecessary system elements;

∙ Integrates cyber security into the system lifecycle for all critical cyber assets;

∙ Ensures that service providers and other third parties with responsibilities for cyber systems have appropriate personnel security procedures/practices in place;

∙ Identifies and documents systems boundaries and implements security controls to limit access across those boundaries:

∙ Monitors the critical networks in real-time for unauthorized or malicious access and alerts, recognizes and logs events and incidents;

∙ Has a defined incident response system for cyber incidents;

∙ Has backup power for all critical cyber systems; and

∙ Has continuity of operations plans, IT contingency plans, and/or disaster recovery plans.

Additional requirements documented in the discussion section include:

∙ Audits must be conducted at least every two years;

∙ Additions to cyber systems must be pre-approved by management;

∙ An intrusion detection system must be used.

∙ Cyber incident response must include requirement to contact a person or agency that “is trained to identify, contain, and resolve a cyber intrusion, denial-of-service attack, virus, worm attack, or other cyber incident” (pg 46).

Commentary

It is clear that the EAP guidance for cyber security is pretty much taken directly from the metrics portion of the RBPS guidance manual. As such the EAP does not provide any more specificity than does the RBPS; it does not tell facilities what cybersecurity measures must be put into place.

There are a couple of metrics from the RBPS guidance that are missing from the EAP program. They include:

8.2.1 The facility has identified and documented systems boundaries (i.e., the electronic perimeter) and has implemented security controls to limit access across those boundaries;

8.3.3 IT management, systems administration, and IT security duties are not performed by the same individual. In instances where this is not feasible, appropriate compensating security controls (e.g., administrative controls, such as review and oversight) have been implemented;

8.5.1 The facility has implemented cyber security controls to prevent malicious code from exploiting critical cyber systems, and it applies appropriate software security patches and updates to systems as soon as possible given critical operational and testing requirements;

8.5.5 Facilities with control systems that have SISs have configured the SIS so that they have no unsecured remote access and cannot be compromised through direct connections to the systems managing the processes they monitor. (For Control Systems Only)

There is no explanation given as to why these metrics do not apply to facilities submitting EAP site security plans.

For cybersecurity at least, what the EAP does is to allow a facility to take its best guess at what security measures must be put into place to meet these rather vague requirements and then certify that it has done so. As long as all of the check boxes are marked, DHS will approve the SSP. The process that now takes place during the SSP authorization and approval process will simply be transferred to compliance inspection. The difference will be that DHS will then have the authority to tell the facility what security measures must be put into place to correct any ‘facial deficiencies’ in the implementation of the site security plan {6 USC 622(c)(4)(G)(ii)(I)(aa)}.

A quick look at the RBPS sections of the EAP look to provide a great more detail into what is required of a facility site security plan (I’ll go  into some of the details in later posts). What is different about cybersecurity is that there are fewer established standards that security professionals generally agree are effective at deterring, detecting and delaying a terrorist attack.

I was hoping that ISCD was going to take a better shot at establishing such standards, but it was patently unfair to put that load on this particular organization. While there are some people with computer and even control systems backgrounds within the ranks of the chemical security inspectors, this is patently not a cybersecurity standards setting organization and certainly not one with the control system security expertise to establish ICS standards.

Given the 180 day standard establishment deadline set by Congress, it was foolish to think that ISCD could accomplish more in the cybersecurity realm. They will have to continue on making the system-by-system judgement to determine if the security measures in place meet the vague guidelines. Hopefully, that will be the only part of the EAP guidelines that leaves so much open to interpretation.