CISA Publishes CFATS Iranian Threat Guidance

Yesterday the Cybersecurity and Infrastructure Security Agency (CISA) published their second “Insights” publication dealing with the increased tensions between the United States and Iran; the newest one deals with “Enhancing Chemical Security During Heightened Geopolitical Tensions”. It is interesting to note that neither of the two Insight documents issued since January 6^th specifically mention Iran.

CFATS Coverage

This document was issued by CISA not the Infrastructure Security Compliance Division, the office in CISA that administers the Chemical Facility Anti-Terrorism Standards (CFATS) program. While not specifically a CFATS document it does make one very important CFATS announcement:

“As of January 15, 2020, tiered CFATS facilities are not being required to implement the heightened security measures under Risk-Based Performance Standards (RBPS) 13 and 14 of their security plans. CISA is monitoring the intelligence information and will inform high-risk chemical facilities if there are changes that warrant activation of RBPS 13 or 14.”

I covered the RPBS 13 requirements under CFATS a couple of days ago. RBPS 14 covers the requirements for facilities to address new threat information provided to them by DHS. This RBPS envisions potential security issues that may arise that would not be covered by a facility’s Site Security Plan and would require emergency type planning and actions on the facility’s part to address the new issue.

As of this morning there is no reference to this document in the CFATS Knowledge Center.

Facilities of Interest Coverage

The document makes multiple references to “facilities with chemicals of interest (COI)—whether tiered or untiered”; what 6 USC 21(2) refers to as a ‘facility of interest’. What this means is that the 42,000+ facilities that have submitted Top Screens should probably pay some attention to this non-regulatory publication. And, of course, any other chemical facility that may feel it needs to pay special attention to their security during this ‘time of tension’.

One area where the ‘facilities of interest’ becomes interesting is in the next to last paragraph of the Insight:

“CISA has more than 150 Chemical Security Inspectors (CSI) around the country who are available to assist facilities possessing chemicals of interest, including non-tiered facilities. To request further information, please contact your local CSI. To find out who your local CSI is, please email [CFATS@hq.dhs.gov] the CFATS team the facility name, location, facility point of contact, contact information (i.e., phone and email), and desired meeting dates.”

The offer to make CSI available to non-regulated facilities to provide their advice on chemical facility security matters is impressive, but it is not the first time that this offer has been made. ISCD Director Wulf made the same general offer in his testimony before the House Energy and Commerce Committee last year.

The Document

The two-page document is broken down into three broad categories:

• Things to Do Today;

• Actions for Cybersecurity; and

• Actions for Physical Protection

Each of those categories is broken down into smaller bites with multiple bullet points. It could be made into a rather good PowerPoint® presentation without much effort. This could mean that there is little detail provided, but CISA has dealt with this by adding links at several points to more complete information. Still this is a broad guideline and the help of a security professional (including CSI) would certainly be desirable if a facility is really interested in responding to the increased tensions. At the very least, this provides a good set of talking points for a facility security officer to take up with management.

Commentary

The only major point that I have any disappointment with this document is the a lack of detail about IED precursor chemicals. All of the Iranian specific documents released this year by the Department highlight the potential IED threat from Hezbollah and other groups associated with Iran and their Revolutionary Guards. I suspect that this lack of specific coverage is due to the fact that the document is not specifically addressing the Iranian related threat.