Today the DHS Infrastructure Security Compliance Division
(ISCD) posted a link to the CFATS Knowledge
Center providing some additional guidance on how ISCD looks at
cybersecurity in the site security plans (SSP) for facilities in the Chemical
Facility Anti-Terrorism Standards (CFATS) program. This is supplemental
information to that found in Risk-Based Performance Standard (RBPS) 8 of the RBPS
Guidance Document.
Since the CFATS program is a risk-based security program,
ISCD is really only interested in cybersecurity as it relates to the security
of the DHS chemicals of interest (COI) that are responsible for the facility
being covered by the CFATS program. Specifically, the guidance notes that ISCD
is looking at cyber systems that:
• Contain business or personal
information that, if exploited, could result in the theft, diversion, or
sabotage of a COI;
• Are connected to other systems
that manage physical processes that contain a COI; or
• Monitor and/or control physical processes that
contain a COI.
The new document provides a brief overview of the types of
activities that ISCD is looking to see in facility SSPs related to three
specific types of cyber systems:
• Critical business systems;
• Critical physical security
systems; and
• Critical control systems.
As with all ISCD guidance, there is very little detail in
this document. This is because of Congressional limitations on the ability of
DHS to specify security measures under the CFATS program. Once a facility has
an approved SSP, however, the measures described in the SSP are specifically
enforceable by ISCD.
Posts
No comments:
Post a Comment