Friday, April 23, 2021

Pharma and CFATS

I had another interesting social media conversation with a new reader. This one was pointed to me by a long-time reader because of cybersecurity regulatory questions for chemical facilities. They brought up some interesting CFATS questions about foreign owned pharmaceutical facilities.

Pharma as Chemical Facility

For manufacturing facilities, the only program that I know of that regulates cybersecurity is the Chemical Facility Anti-Terrorism Standards (CFATS) program. That program is unique for now in that respect. And yes, pharmaceutical manufacturing facilities and some labs could come under the CFATS program. It would depend on the chemical inventory at the site.

CFATS Process Overview

If the facility had one or more of the 300+ DHS chemicals of interest (COI) on site within the last 60 days in an amount in excess of the screening threshold quantity for that chemical, the facility would have to submit an on-line Top Screen survey about the facility and chemicals used there. The DHS Office of Chemical Security (OCS) would then conduct a risk assessment to determine if the facility was at high risk for terrorist attack. If it did, the facility would fall under the CFATS program and would end up having to submit a Site Security Plan (SSP) to OCS for approval. That SSP would have to address each of the Risk Based Performance Standards outlined in the CFATS regulations. Cybersecurity is one of those standards. OCS would conduct periodic compliance inspections once that SSP was approved.

Overseas Facilities

An interesting question came up in the conversation; would overseas facilities be affected by the CFATS programs. Generally speaking, CFATS is only concerned about facilities in the United States and its territories. There is potentially one exception to that and that needs some background.

Typically, the CFATS program just covers a facility that has chemicals of interest on site. Sometimes, however, off-site facilities have an impact on the covered facility’s site security plans. Records about employee background checks could be held at corporate headquarters. Security system monitoring could be conducted at a third-party facility. Or, a covered computer system could reside off-site.

A covered computer system for the purposes of the CFATS program is one that has direct impact on the protection of the COI onsite. This could include process control systems and security control systems. For COI that present a theft-diversion security issue (explosives, chemical weapons, or their precursors) the order control system for the facility would also be considered a covered computer system since it could be used to divert a shipment of the COI. The protection of those computer systems would be covered under the CFATS programs and chemical security inspectors would be expected to ensure their security measures outline in the SSP were properly implemented.

Now, I do not expect that a CSI would travel outside the United States to inspect a covered computer system. First, that could get a tad bit expensive. Second, the authority of those inspectors would stop once our border was crossed. I do, however, think that OCS would insist on having some sort of way of ensuring SSP compliance. I sure that that would be taken care of in the SSP approval process.

No comments:

 
/* Use this with templates/template-twocol.html */