GAO CFATS Cybersecurity Report – Outdated Guidance

Last week the Government Accountability Office published their latest report on the Chemical Facility Anti-Terrorism Standards (CFATS) program. This report specifically addresses the cybersecurity component of the CFATS program. It provides six recommendations to address cybersecurity guidance for covered facilities and cybersecurity training for chemical security inspectors (CSI).

The Recommendations

The GAO report recommended (and DHS concurred) that DHS should:

• Implement a documented process for reviewing and, if deemed necessary, revising its guidance for implementing cybersecurity measures at regularly defined intervals.

• Incorporate measures to assess the contribution that its cybersecurity training is making to program goals, such as inspector- or program specific performance improvement goals.

• Track delivery and performance data for its cybersecurity training, such as the completion of courses, webinars, and refresher trainings.

• Develop a plan to evaluate the effectiveness of its cybersecurity training, such as collecting and analyzing course evaluation forms.

• Develop a workforce plan that addresses the program’s cybersecurity related needs, which should include an analysis of any gaps in the program’s capacity and capability to perform its cybersecurity-related functions, and human capital strategies to address them.

• Maintain reliable, readily available information about the cyber integration levels of covered chemical facilities and inspector cybersecurity expertise. This could include updating the program’s inspection database system to better track facilities’ cyber integration levels.

Cybersecurity Guidance

The main complaint the GAO had with the cybersecurity guidance provided by the Cybersecurity and Infrastructure Security Agency’s (CISA) Infrastructure Security Compliance Division (ISCD) is that it is over ten years old. That guidance is found in the CFATS Risk Based Performance Standards (RBPS) Guidance document that was published in May 2009. Cybersecurity it addressed in RBPS number 8. The seven pages of ‘guidance’ is a broadly written overview of general cybersecurity provisions that might be appropriate to a high-risk chemical facility. It includes paragraphs addressing various topics in the areas of:

• Security Policy,

• Access Control,

• Personnel Security,

• Awareness and Training,

• Cyber Security Controls, Monitoring, Response, and Reporting,

• Disaster Recovery and Business Continuity,

• System Development and Acquisition,

• Configuration Management, and

• Audits.

The RBPS Guidance then goes on to discuss (similarly briefly) security considerations associated with:

• Potential Off-site Aspect of Cyber Security,

• Interconnectivity of Critical and Seemingly Non-Critical Systems,

• Impact of Risk Drivers,

• Physical Security for Cyber Assets, and

• Layered Security,

Finally, the RBPS Guidance cybersecurity section provides a series of metrics that ISCD would use in assessing whether or not a facility’s site security plan adequately addresses the cyber RBPS. Those metrics are keyed to the risk rating of each facility; generally speaking, higher risk facilities have to take more actions to protect the facility from potential terrorist cyber threats. The threat metrics address:

• Cyber Security Policies,

• Access Control

• Personnel Security,

• Awareness and Training,

• Cyber Security Controls, Monitoring, Response, and Reporting,

• Disaster Recovery and Business Continuity,

• System Development and Acquisition,

• Configuration Management, and

• Audits

Guidance Problems

Beyond the age of the document, the biggest problem with the RBPS Guidance was not addressed by the GAO report and that is that the writers had to be careful not to be ‘too prescriptive’ in their discussions about security issues. I discussed this problem in some depth when the document was published, but in short DHS was dealing with a congressional restriction on providing any sort of one-size-fits-all facilities regulation. In my opinion, they bent over backwards in the RBPS Guidance document to avoid any sort of appearance of dictating security measures and the document is weak as a result.

Proposals for Additional Guidance

While the issues discussed in the RPBS Guidance are still appropriate cybersecurity considerations, they fail to address any of the emerging cybersecurity threats that face high-risk chemical facilities. An updated discussion would have to include discussions about:

• Phishing,

• Ransomware,

• Advanced persistent threats,

• Security Operations Centers,

• Patching and vulnerability risk assessments, and

• Vulnerability reporting.

An additional topic for inclusion would be the ISCD’s cybersecurity integration level program. This is an internal ISCD assessment of the level of integration of cyber systems into the protection and utilization of chemicals of interest. This program was described on pages 15-17 of the GAO report. ISCD uses this assessment to assign CSI with varying levels of cybersecurity expertise to the appropriate facilities. In many ways this integration assessment would more sense than just risk levels in determining which sorts of cybersecurity controls should be in place for facilities.

Problems with Changes

ISCD has a long history of being very responsive to industry concerns with the CFATS programs. They have to be to ensure continued congressional support for the program. That support, in turn, is necessary because of the continued short-term reauthorization process for the program. This does cause some problems for the CFATS program.

ISCD would almost certainly have to go through the comment and response process that it used in the original publication of the RBPS Guidance in any revision of the document. Industry would be leery of any substantive changes to that document that might cause facilities to change their existing security procedures. This is almost certainly been one of the reasons why ISCD has been reluctant to undertake a review and update of that document. On the flip side of that, is of course, if no changes in security programs would be required, why should ISCD take the effort to update the document.

Congress needs to provide cover to ISCD in this matter. As part of the impending CFATS reauthorization, Congress should include a mandate for review and update of the RBPS Guidance. To avoid additional wrangling over what to include in the bill, specifics on what to include in the update should not be provided by congress. That should be left to the review process. Congress should, however, require ISCD to include examples of what sorts of controls could be included in a site security plan to meet the metrics provided in the Guidance.