Monday, June 22, 2020

Retrospective CFATS Cost Analysis – No Cybersecurity Costs

When I wrote yesterday’s blog post about CISA’s retrospective cost analysis of the Chemical Facility Anti-Terrorism Standards (CFATS) program, I only did a cursory search for cybersecurity related measures before I noted: “The other area that is apparently short-changed in this assessment is the cost of cybersecurity measures.” I have since gone back and done a more organized search for discussion about cybersecurity costs associated with the program and can find nothing.

Search Methods

The first and most obvious search was for the term ‘cyber’. With just one exception the searche only turned up that word in association with the full name for CISA, the Cybersecurity and Infrastructure Security Agency. The one exception was found in a footnote (#3) on page on page 15:

“Each SSP consist of a series of questions for each of the following security topics: Detection; Delay; Response; Cyber; Security Management. For each of these topics, respondents are asked to provide information about a number of existing security measures. In addition to the questions about existing measures, there are questions regarding planned and proposed measures.”

I then looked for the following terms related to cybersecurity measures that one would expect to see employed in a chemical facility:

• Firewall – no matches,
• Intrusion detection – only related to facility physical security measures,
• Anti-virus – no matches,
• Network segmentation – no matches,
• System boundaries – no matches,
• External Connections – no matches,
• Network – no matches,
• Control system – only related to facility physical security ‘access control system’,
• Remote access – no matches,
• Virtual Private Network – no matches,
• Least privilege – no matches,
• Information storage media – no matches, and
• Safety instrumented systems – no matches

Finally, I searched for the cybersecurity security measures recommended in the Risk Based Performance Standard (RBPS) guidance document:

• Security policy – no matches,
• Access control – only related to facility physical security measures,
• Personnel security – no matches,
• Awareness and training – no matches,
• Monitoring and incident response – no matches,
• Disaster recovery and business continuity – no matches,
• System development and acquisition – no matches,
• Configuration management – no matches, and
• Audits – multiple mentions of non-cyber specific ‘annual internal audits’


While I acknowledge that estimating the cost of many of the standard cybersecurity measures (network segmentation for instance) would be difficult to estimate using the processes described in this document, the total failure to mention any cyber related security measures or costs throws this complete document into question.

I could understand this failure to address cybersecurity costs in assessments conducted by non-technical organizations, but the failure of the CYBERSECURTY and Infrastructure Security Agency to even mention cybersecurity is a complete travesty. It also begs the question of what other major areas of security were ignored in the development of this document?

This lack of cybersecurity coverage is even worse when taken together with the recent GAO report on cybersecurity issues in the CFATS program. Perhaps Congress needs to move forward with a one-year continuation of the CFATS program (current authorization expires next month) while taking a hard look at the cybersecurity portions of the program.

No comments:

/* Use this with templates/template-twocol.html */