Last month the Cybersecurity and Infrastructure Security
Agency (CISA) announced the
availability of the “Retrospective Analysis of the 2007 Chemical Facility
Anti-Terrorism Standards” for public review and comment. In three earlier posts
I provided an analysis of document and the data shortcomings that I had
discovered. Those three posts were:
In this post I will be summarizing the missing cost
estimates from those earlier documents and I will be submitting a copy of this
post as my contribution to the comments that CISA has solicited.
First, CISA is to be commended, both for the presentation of
this document and the effort that the Agency has expended in its preparation.
The use of the data submitted by CFATS covered facilities through the Chemical
Security Assessment Tool (CSAT) for the preparation of this data demonstrates
the continuing saga of innovation in this regulatory program. The folks at the
Infrastructure Security Compliance Division are to be saluted on their ongoing
efforts to make the CFATS program more effective and efficient.
CISA’s use of the ‘proposed security measure’ comments in
the CSAT submissions for the facility site security plans was a very good way
of identifying new capital costs that facilities were intending to incur is
support of their implementation of the CFATS program at their facilities.
Having said that, however, reliance on that technique is also the cause of the
major shortcomings of this cost analysis. CISA assumes that ‘current’ security
measures documented in the site security plan (SSP) were in existence before
the facility began the development of their SSPs. While this is almost
certainly true for some of the major components of the physical security
apparatus (fences, gates and guard forces for example), many facilities
incurred costs improving their security programs through the long process of
site security plan approval process that facilities went through in the earlier
years of the CFATS program.
Additionally, many of the security improvements that were
put into place by facilities were not capital expenditures. Personnel costs
(including training at all levels in the organization) and security
consultation/integration costs in the early stages of program implementation would
not typically be included in capital costs. Many of those types of costs would
be incurred before the SSP was submitted, but after the facility was identified
as a high-risk facility covered by the program. CISA is only going to be able
to identify those costs by feedback from the affected facilities.
Finally, there is one other category of costs that are not
readily available from the current community of CFATS covered facilities; those
costs incurred by facilities to reduce their risks to the extent that they
would no longer be covered by the CFATS program.
RBPS Not Specifically Coved
Looking through the retrospective analysis document, it
quickly becomes apparent that CISA has expended a great deal of effort to
address costs associated with the physical security of facilities and assets
under the CFATS program. Unfortunately, physical security efforts are only a
portion of the Risk Based Performance Standards that facilities must address in
their site security plans. I can find no mention of measures supporting the
following RBPS in the CISA document:
• RBPS #8 – Cyber,
• RBPS #9 – Response
• RBPS #13 – Elevated threats,
• RBPS #14 – Specific threats,
• RBPS #15 – Reporting of
significant security incidents,
• RBPS #16 – Significant security
incidents and suspicious activities,
With the exception of RBPS #8 and #9, the costs incurred
meeting the requirements of these RBPS would be relatively low compared to the
physical security costs addressed by CISA. Analysis of the costs associated
with these RBPS need to address expenditures for each of the security measures
listed in the RBPS
Guidance document for those RBPS.
RBPS #8 - Cyber
None of the cyber related security measures listed in the Guidance
are even mentioned (with the noted exceptions) in the Assessment. These measures
include:
• Security policy – no matches,
• Access control – only related to facility
physical security measures,
• Personnel security – no matches,
• Awareness and training – no
matches,
• Monitoring and incident response
– no matches,
• Disaster recovery and business
continuity – no matches,
• System development and
acquisition – no matches,
• Configuration management – no
matches, and
• Audits – multiple mentions of
non-cyber specific ‘annual internal audits’
Additionally, facilities could be expected to employ one of
more of the following cybersecurity tools or processes in their efforts to
protect their industrial control systems, security systems and information
systems under RPBS 8:
• Firewall – no matches,
• Intrusion detection – only
related to facility physical security measures,
• Anti-virus – no matches,
• Network segmentation – no matches,
• Remote access controls – no
matches,
• Virtual Private Network – no
matches,
The comments provided with each security measure refers to
search results for the item in Assessment document.
RBPS #9 – Response
None of the security measures described in the Guidance
document associated with RBPS 9, Response, are mentioned in the Assessment.
These include:
• Emergency plans and processes, and
• Emergency response equipment
As with most of the security measures found in the Guidance
document, these two were addressed to some extent in most facilities prior to
their being notified that they were covered facilities under the CFATS program.
Still, most facilities had to undertake additional efforts to ensure that they
met the metrics for RPBS #9 listed in the Guidance.
Conclusion
In closing, I would like to reiterate my support for the
effort that CISA has taken to date in preparing their assessment. However,
there are some shortcomings in the processes and scope of that assessment that
CISA is actively trying to address by soliciting comments on their efforts to
date. I expect that there will be a significant response by the regulated
community. To receive more comprehensive results, CISA is probably going to
have to directly contact past and present covered facilities with specific
questions about the costs that they incurred in preparing and implementing
their site security plans.
I will be submitting a copy of this blog post to www.Regulations.gov, Docket #DHS-2014-0016.
Posts
No comments:
Post a Comment