CFATS and Cybersecurity

This week the Senate Homeland Security and Governmental Affairs Committee held a hearing on the reauthorization of the Chemical Facility Anti-Terrorism Standards (CFATS) program. The short take on the hearing is that the CFATS program will be reauthorized and there will be tweaks made to the program. The most important thing to come out of this hearing, however, was that there are serious issues with how the CFATS program deals with cybersecurity issues.

Hearing Details

There were three important aspects to the way the Committee held this hearing. First, instead of having two different panels of witnesses appear; first government witnesses and then industry witnesses; the hearing was held at a large square table with all of the witnesses present at one time. This allowed for some limited exchange between the government and industry witnesses that added some additional clarity.

Secondly, there were only four Senators that took part in the hearing. This allowed Sen. Johnson (R,MN) more discretion on the time allotted for questions and responses. This contributed to the give and take between the Committee and witnesses as well as between the witnesses.

The final unusual element of the hearing was that one of the witnesses, Jesse (Jay) LeGros Jr, was a Chemical Security Inspector with the Infrastructure Security Compliance Division. The fact that he is also a union representative (AFGE National Local #918) was an interesting take on the normal congressional interest in the union point of view on legislation and regulation.

Cybersecurity Problems

The written testimony from LeGros raised specific issues with the qualification of CSI to evaluate the cybersecurity implementation of facility site security plans. This is a problem that I have raised questions about over the years, but it is the first time that the issue has been raised in a public forum.

LeGros reports that ISCD classifies facilities as having on of three different levels of cybersecurity issues; minimal, partial and significant. Since CFATS is a chemical-based security program, the level of concern about cybersecurity is directly related to how closely the cyber controls are tied to either the tiered chemicals of concern (COI) or the security controls protecting those chemicals. No details were provided on how ISCD headquarters delineates what level a specific facility falls within.

LeGros explains that all CSI are trained to answer the limited cybersecurity questions that apply to minimal cybersecurity facilities. A limited number of CSI are supposedly trained to address the cybersecurity issues at partial cybersecurity facilities and LeGros has questions about the level of training supplied to those CSI. Finally, only cybersecurity subject matter experts at ISCD headquarters are able to answer the security questions associated with significant cybersecurity facilities.

Finally, LeGros describes how an increasing emphasis on completing a high number of authorization and compliance inspections has increased the workload on all member of ISCD, but specifically on CSI and that has apparently blurred the rules on the cybersecurity portion of the inspections.

There was an interesting interchange between Le Gros and Sen. Peters (D,MI) at 1:04:50 thru 1:14:51 during the hearing video. This includes some responses from Christopher P. Currie of the GAO and by David Wulf, the Acting Deputy Assistant Secretary for Infrastructure Protection, National Protection and Programs Directorate and more usually the Director of ISCD. This ten minute dialog reinforces the points made above.

At the end of that discussion Chairman Johnson makes the following comment:

“One thing we really need to be concerned about is mission creep and I think that CFATS is meant to address a particular problem. Cyber is incredibly complex and is changing all of the time. I think that it is unrealistic to think that CFATS inspectors can be cyber trained and really ought to be doing a deep dive. I think that it is outside of the scope of what CFATS ought to be. That’s my personal opinion. What I would recommend is focusing the effort on the task at hand, prioritizing things, and let the cyber issue be dealt with other people at DHS.”

Commentary

I finally got a chance to watch this hearing looking for information on the Senate attempts at reauthorizing the CFATS program. The good news is that all of the Senators in the hearing as well as all of the witnesses favored a reauthorization of the CFATS program. Okay, the explosives people had a minor caveat to that support; they reasonably want a CFATS exemption for ATF licensed facilities.

I am extremely concerned with the problems identified in the cybersecurity implementation in the CFATS program. The CFATS program is only concerned with computer systems and control systems that directly impact the safety and security of 300+ chemicals of concern. For chemicals with a release security issue (toxic, flammable or explosive chemicals) this could specifically include control systems that automate the manufacture, handling, or storage those chemicals. This makes the CFATS program one of the few federal regulatory programs that specifically addresses industrial control system security.

The cavalier statement by Johnson that the cybersecurity issue at the chemical facilities should be dealt with by “other people at DHS” demonstrates a complete misunderstanding of the situation. The cybersecurity issues that CFATS deal with are directly related to the safety and security of the dangerous chemicals at the covered facilities; this makes it a security issue that must be addressed by the CFATS regulations.

There is a way that Johnson’s ‘let someone else handle it’ guidance could work. The reauthorization bill could require that ICS-CERT act as the cybersecurity inspection force for the CFATS program. The reauthorization would have to require that ICS-CERT work with ISCD to establish inspection processes that support the requirements of Risk Based Performance Standard #8, Cyber, conduct the inspections and support the analysis of inspection results to ensure that the facility’s site security plan met the RPBS standards and, on subsequent compliance inspections, that the facility was meeting the security plan cybersecurity implementation requirements.

Unfortunately, I do not see this happening. First off, it is hard to have one federal agency providing day-to-day support for another agency; the level of coordination, even within the same Department is high and there are competing requirements for manpower scheduling and training.

Second, there is the on-going issue of having enough cybersecurity experts to go around the necessary government agencies. This is an especially aggravating problem for industrial control system cybersecurity issues. On the other hand, ICS-CERT probably has a better chance of attracting ICS cybersecurity talent than does ISCD. But both agencies will have pay/perk issues with competing with private sector entities.

Probably the most effective way of dealing with this particular situation is to authorize ISCD CSI to attend control system security classes taught by ICS-CERT. There should probably be a basic cybersecurity course for all CSI (non-ICS computer systems are also covered by the CFATS RBPS 8). More detailed ICS cybersecurity training should be mandated for a minimum number of inspectors for each regional office. Finally, the ISCD headquarters should maintain a core of cybersecurity professional, including ICS security experts, subject matter experts to monitor for changes in the cybersecurity threat and reports of cybersecurity incidents.