Sunday, January 22, 2023

Review - CFATS Regulation Changes – Cybersecurity

NOTE: This is the second in a series of posts looking at potential changes to the Chemical Facility Anti-Terrorism Standards (CFATS) regulation that CISA may be intending to make when they issue their notice of proposed rulemaking (NPRM) later this year.

With the TSA issuing multiple security directives concerning the cybersecurity of surface transportation assets, including pipelines and railroads, and multiple news sources claiming that a new impending executive order on cybersecurity for critical infrastructure, it seems clear that we must consider that CISA may be considering changes in the existing cybersecurity requirements for the CFATS program.

Proposed Changes

CISA has not discussed in either of the two earlier advanced notices of proposed rulemaking (here and here) any particular cybersecurity revisions that it would like to see in future regulatory changes. Here are two changes that I think ought to be included.

Revise the security vulnerability assessment requirements of 6 CFR 27.215(a) to insert a new paragraph (2):

“(2) Cyber asset characterization, which includes the identification and characterization of cyber assets that support, affect, or control the critical assets identified in (1), including the programs, systems and procedures which protect such cyber assets from unauthorized access or modification;”

Revise the RBPS cyber requirement of §27.230(a)(8) to read:

(8) Cyber.

(i) Deter cyber sabotage of cyber assets identified in §27.215(a)(2), including by preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS), critical business system, and other sensitive computerized systems; and

(ii) Prevent the unauthorized modification of business systems, order controls, and inventory systems that would allow, authorize or order unauthorized transfer of chemicals of interest identified in Appendix A;

 

 

For more details about the background and constraints on any cybersecurity regulatory changes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cfats-regulation-changes-9d5 - subscription required.

No comments:

 
/* Use this with templates/template-twocol.html */