Sen Johnson Proposes Gutting Cybersecurity Provisions of CFATS Program

On Tuesday Sen. Johnson (R,WI) introduced S 3405, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2018. While there are a number of complex changes proposed in the bill to the Chemical Facility Anti-Terrorism Standards (CFATS) program (that will be addressed in subsequent blog posts) one item stands out; the requirement to remove cybersecurity requirements from the CFATS program.

Section 3 of the bill amends 6 USC 622. It includes adding a new sub-paragraph to §622(a) that states that {new §622(a)(3)}: “The risk-based performance standards established under paragraph (2)(C) shall not include any standard relating to cybersecurity.”

Current Cybersecurity Requirements

The risk-based performance standards (RBPS) establish the requirements which the site security plan (SSP) developed under the program must meet to be considered an approved SSP under the program. The current CFATS regulations (6 CFR 27) contains 18 risk based performance standards in §27.230;  RBPS #8 is cybersecurity. Section 27.230(a)(8) rather succinctly states:

“Cyber. Deter cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS), critical business system, and other sensitive computerized systems;”

The Risk Based Performance Standards Guidance manual discusses the types of activities and policies that DHS expects a covered facility’s SSP to address to meet the requirements of RBPS #8. It outlines 9 categories of policies and practices, including:

• Security policy;

• Access control;

• Personnel security;

• Awareness and training;

• Monitoring and incident response;

• Disaster recovery and business continuity;

• System development and acquisition;

• Configuration management; and

• Audits

The ten-page section (pgs 71-81) in the RBPS Guidance manual concludes with a series of metrics that the Department would use to determine if a facility’s SSP adequately addressed cybersecurity issues. These metrics are tied to the risk level at a particular facility as identified in the tier ranking assigned to the facility.

Senate CFATS Hearing

During a hearing in June of this year before the Senate Homeland Security and Governmental Affairs Committee, extensive testimony was heard from a very senior chemical security inspector (CSI) about the short comings of the cybersecurity portion of the CFATS program. The main point that CSI LeGros made during both his oral and written testimony was that CSI have received very minimal training on cybersecurity processes and techniques and that assessments of the adequacy of the cybersecurity provisions of the SSP were having to be made by subject matter experts at Infrastructure Security Compliance Division (ISCD) headquarter who had never actually visited the facility.

Commentary

This removal of the RBPS 8 requirements from the CFATS process was presaged by comments made by Sen. Johnson at the June CFATS hearing. He stated that (at 1:14:08 minutes into the hearing video):

“One thing we really need to be concerned about is mission creep and I think that CFATS is meant to address a particular problem. Cyber is incredibly complex and is changing all of the time. I think that it is unrealistic to think that CFATS inspectors can be cyber trained and really ought to be doing a deep dive. I think that it is outside of the scope of what CFATS ought to be. That’s my personal opinion. What I would recommend is focusing the effort on the task at hand, prioritizing things, and let the cyber issue be dealt with other people at DHS.”

Unfortunately, completely removing the cybersecurity requirements from the CFATS program does nothing to ensure that ‘other people at DHS’ will look at the issue of securing the industrial control systems, the access control systems or even the inventory control systems at these high-risk chemical facilities. Without ensuring that the cyber-systems at these facilities are protected against outside manipulation there is effectively NO SECURITY at the facility.

Attacks against the access control systems could make the automated security systems shutdown. Attacks against the inventory control and customer ordering systems could cause chemical weapon and improvised explosive precursors to be delivered to terrorists. And attacks against industrial control systems controlling the movement and storage of flammable and toxic chemicals could result in intentional releases executed by personnel far from the boundaries of the facility.

Throwing out the baby with the bath water is not an effective method of ensuring that the baby is cleaned. The problems identified by LeGros are not insurmountable, they require training for CSI in the basics of cybersecurity including ICS cybersecurity. Provisions should be made to have a cadre of CSI with advanced cybersecurity training (and there are currently at least a few CSI with extensive cybersecurity backgrounds) for facilities where the cyber-risks are the highest.

Additionally, I have suggested additional cybersecurity language that could have been included as part of this bill. This language would add specific requirements for reporting cybersecurity incidents and include new requirements for specific facility risk assessments of cybersecurity vulnerability reporting by ICS-CERT.

I am not surprised that my language was not included, gadflies are seldom consulted in crafting legislation. With that said, however, I am completely flabbergasted that Sen. Johnson could really consider stripping all cybersecurity oversight from the CFATS program. There is no other organization that has an appropriate mandate, inspection force, or even appropriate contact information to verify that high-risk chemical facilities with computer systems that directly affect the safe and secure storage of dangerous chemicals are taking appropriate and adequate measures to protect those computer systems.

This provision of S 3405 needs to be removed from the bill before it is even considered in Committee.