The nice thing about writing this blog is that periodically
I get a chance to talk to people in the field that are responsible for
implementing the Chemical Facility Anti-Terrorism Standards (CFATS) program. I
had one of those conversations today with a long-time reader who is a contractor
helping a new CFATS covered facility that was caught up by CSAT 2.0. As is
usual these conversations are tempered by having to adhere to
Chemical-terrorism Vulnerability Information (CVI) rules, so specifics could
not be mentioned. Still, there is some information worth sharing.
CSAT 2.0 and MTSA
A lot of facilities are being introduced to the CFATS
program by recent changes in the Chemical Security
Assessment Tool (CSAT 2.0) and the new risk assessment process that was
concurrently introduced by the Infrastructure Security Compliance Division
(ISCD) at DHS. This was not covered in my discussions today, but I am hearing
indications that some of these new facilities used to feel that they were
exempt from CFATS coverage because they were covered by the Coast Guard’s
Maritime Transportation Security Act (MTSA) program. The notification letters
that ISCD started sending out last fall make it clear that only those portions
of the facility covered by MTSA requirements are exempt from the CFATS program
requirements.
It seems that a number of facilities took the allowable
course of restricting their MTSA footprint to the immediate shore side portion
of their facilities. For many larger facilities, this left major portions of
the facility uncovered by federal security regulations. ISCD made it clear that
those portions of the facility not covered by MTSA were subject to the CFATS
Top Screen reporting requirements and potentially full coverage under the CFATS
program depending on the DHS risk assessment based upon Top Screen submission
data.
After the Tiering Letter
The conversation today addressed some of the lessons learned
at a CSAT 2.0 facility that recently received their tiering letter (the
official notification from CSAT that the Top Screen submission and subsequent
risk assessment had allowed ISCD to determine that the facility is at ‘high-risk’
for potential terrorist attack and was therefore subsequently placed in the
CFATS program.
After the inevitable “oh, no… really?” conversation the
facility requested a compliance
assistance inspection as they began work on prepping for the security
vulnerability assessment (SVA) and site security plan (SSP) submissions.
Shortly thereafter a DHS chemical security inspector (I still hate the inevitable
‘CSI’ fallout) showed up to take a look at the facility and the work they had
already done to make it secure. This is one of those rare cases when you can
sigh with relief instead of cringe when the guy says: “I’m from the government
and I’m here to help you.”
The initial good news was that because of a detailed DOT
Hazmat Security Plan (49
CFR 172.802) the facility had a good head start on fulfilling the
requirements of the CFATS Risk-Based Performance Standards (RBPS; 6
CFR 27.230) as explained in the RPBS
Guidance document. Additionally, since the CSI had already seen this type
of facility before, he was able to provide a template that could probably be
used by the facility to submit an alternative security plan (ASP, not the ACC/NACD
ASP that I have previously discussed) instead of submitting the cumbersome SSP
found in the CSAT tool. (Note: I’m trying to see if I can get hold of a link to
that new template.)
Cooperative Enforcement
One of the nice parts of the CFATS program is that ISCD
really is working with facilities to get site security plans formalized. To
understand why, you just need to look at the most basic restriction that ISCD is
operating under; they are forbidden by Congress {6
USC 622(c)(1)(B)(i)} from specifying security measures that facilities must
employ.
In practice, this means that the approval of the SSP by ISCD
is really a negotiating process. The facility proposes a set of security
measures and ISCD determines whether or not those measures meet the RBPS
criteria for the Tier Level to which the facility is assigned. ISCD then
explains any deficiencies and the facility attempts to remedy them. In the
early days of the program this could end up being a rather lengthy process.
Fortunately, the CSI now have enough experience with facility security plans,
so that they can provide suggestions about what has worked at other facilities.
Once the SSP is approved by ISCD the relationship changes to
something more approaching a typical agency private sector relationship as the
SSP becomes an enforceable set of standards against which compliance can be
measured. I suspect, however, that the relationship will still have more
cooperative overtones than with most government agencies because of the
relatively stable assignment of CSI to responsibility for a small number of
facilities. This allows for a better understanding of facility issues and a
closer working relationship.
Cybersecurity
One thing that this new facility was told during their
compliance assistance visit was to make sure that they took a good hard look at
their cybersecurity planning. As one could expect, ISCD is taking its cue from
much higher up the ladder at DHS in focusing on cybersecurity issues.
I reminded my caller that the facility has a relatively
large degree of discretion when it defines the portion of the facility which is
covered by the CFATS program. For facilities with release risk chemicals of
interest (COI) there may be no need to include business IT systems in the CFATS
perimeter if they have no effect on the security of the COI at the facility.
This is yet another good reason for carefully segmenting the different
cyber-networks at a facility.
I also suggested to my reader that they take a good look at
using the Cybersecurity
Evaluation Tool (CSET) to help evaluate the security of their control
systems. The newest versions of this tool from ICS-CERT includes specific CFATS
related questions that can be used to help formulate the cybersecurity portion
of SSP. The use of CSET does not provide a free pass on the RPBS 8
(cybersecurity) requirements, but it can be a helpful tool.
Posts
No comments:
Post a Comment