Last week the Government Accountability Office published
their latest report on the Chemical Facility Anti-Terrorism Standards (CFATS)
program. This report specifically addresses the cybersecurity component of the
CFATS program. It provides six recommendations to address cybersecurity
guidance for covered facilities and cybersecurity training for chemical
security inspectors (CSI).
The Recommendations
The GAO report recommended (and DHS concurred) that DHS should:
• Implement a documented process
for reviewing and, if deemed necessary, revising its guidance for implementing
cybersecurity measures at regularly defined intervals.
• Incorporate measures to assess
the contribution that its cybersecurity training is making to program goals,
such as inspector- or program specific performance improvement goals.
• Track delivery and performance
data for its cybersecurity training, such as the completion of courses, webinars,
and refresher trainings.
• Develop a plan to evaluate the
effectiveness of its cybersecurity training, such as collecting and analyzing
course evaluation forms.
• Develop a workforce plan that
addresses the program’s cybersecurity related needs, which should include an
analysis of any gaps in the program’s capacity and capability to perform its
cybersecurity-related functions, and human capital strategies to address them.
• Maintain reliable, readily
available information about the cyber integration levels of covered chemical
facilities and inspector cybersecurity expertise. This could include updating
the program’s inspection database system to better track facilities’ cyber
integration levels.
Cybersecurity Guidance
The main complaint the GAO had with the cybersecurity
guidance provided by the Cybersecurity and Infrastructure Security Agency’s
(CISA) Infrastructure Security Compliance Division (ISCD) is that it is over
ten years old. That guidance is found in the CFATS
Risk
Based Performance Standards (RBPS) Guidance document that was published in
May 2009. Cybersecurity it addressed in RBPS number 8. The seven pages of ‘guidance’
is a broadly written overview of general cybersecurity provisions that might be
appropriate to a high-risk chemical facility. It includes paragraphs addressing
various topics in the areas of:
• Security Policy,
• Access Control,
• Personnel Security,
• Awareness and Training,
• Cyber Security Controls,
Monitoring, Response, and Reporting,
• Disaster Recovery and
Business Continuity,
• System Development and
Acquisition,
• Configuration Management,
and
• Audits.
The RBPS Guidance then goes on to discuss (similarly
briefly) security considerations associated with:
• Potential Off-site Aspect
of Cyber Security,
• Interconnectivity of
Critical and Seemingly Non-Critical Systems,
• Impact of Risk Drivers,
• Physical Security for
Cyber Assets, and
• Layered Security,
Finally, the RBPS Guidance cybersecurity section provides a
series of metrics that ISCD would use in assessing whether or not a facility’s
site security plan adequately addresses the cyber RBPS. Those metrics are keyed
to the risk rating of each facility; generally speaking, higher risk facilities
have to take more actions to protect the facility from potential terrorist
cyber threats. The threat metrics address:
• Cyber Security Policies,
• Access Control
• Personnel Security,
• Awareness and Training,
• Cyber Security Controls,
Monitoring, Response, and Reporting,
• Disaster Recovery and
Business Continuity,
• System Development and
Acquisition,
• Configuration Management,
and
• Audits
Guidance Problems
Beyond the age of the document, the biggest problem with the
RBPS Guidance was not addressed by the GAO report and that is that the writers
had to be careful not to be ‘too prescriptive’ in their discussions about
security issues. I
discussed
this problem in some depth when the document was published, but in short
DHS was dealing with a congressional restriction on providing any sort of
one-size-fits-all facilities regulation. In my opinion, they bent over
backwards in the RBPS Guidance document to avoid any sort of appearance of
dictating security measures and the document is weak as a result.
Proposals for Additional Guidance
While the issues discussed in the RPBS Guidance are still
appropriate cybersecurity considerations, they fail to address any of the
emerging cybersecurity threats that face high-risk chemical facilities. An
updated discussion would have to include discussions about:
• Phishing,
• Ransomware,
• Advanced persistent
threats,
• Security Operations
Centers,
• Patching and vulnerability
risk assessments, and
• Vulnerability reporting.
An additional topic for inclusion would be the ISCD’s
cybersecurity integration level program. This is an internal ISCD assessment of
the level of integration of cyber systems into the protection and utilization
of chemicals of interest. This program was described on pages 15-17 of the GAO
report. ISCD uses this assessment to assign CSI with varying levels of
cybersecurity expertise to the appropriate facilities. In many ways this integration
assessment would more sense than just risk levels in determining which sorts of
cybersecurity controls should be in place for facilities.
Problems with Changes
ISCD has a long history of being very responsive to industry
concerns with the CFATS programs. They have to be to ensure continued congressional
support for the program. That support, in turn, is necessary because of the continued
short-term reauthorization process for the program. This does cause some
problems for the CFATS program.
ISCD would almost certainly have to go through the comment
and response process that it used in the original publication of the RBPS
Guidance in any revision of the document. Industry would be leery of any
substantive changes to that document that might cause facilities to change
their existing security procedures. This is almost certainly been one of the
reasons why ISCD has been reluctant to undertake a review and update of that
document. On the flip side of that, is of course, if no changes in security
programs would be required, why should ISCD take the effort to update the
document.
Congress needs to provide cover to ISCD in this matter. As
part of the impending CFATS reauthorization, Congress should include a mandate
for review and update of the RBPS Guidance. To avoid additional wrangling over
what to include in the bill, specifics on what to include in the update should
not be provided by congress. That should be left to the review process.
Congress should, however, require ISCD to include examples of what sorts of controls
could be included in a site security plan to meet the metrics provided
in the Guidance.