Review - ChemLock and Cybersecurity

This is part of a series of blog posts looking at the potential for the authorization of CISA’s existing ChemLock program and using it as a voluntary replacement for the now defunct Chemical Facility Anti-Terrorism Standards (CFATS) program. Other posts in this series include:

• CFATS is Dead,

• Making ChemLock Safety Act Compliant – ChemLock Program Background,

• ChemLock and Tiering,

• Reader Comment – TSDB Screening for ChemLock,

• ChemLock and TSDB Screening,

• ChemLock and Risk Based Performance Standards,

• ChemLock and Chemical-Terrorism Vulnerability Information,

• ChemLock and Information Sharing,

• ChemLock and DHS Chemicals of Interest.

NOTE: Previous articles in this series have been removed from the CFSN Detailed Analysis paywall.

The CFATS programs was one of the first federal security programs that specifically addressed cybersecurity issues, including control systems. The issue was initially addressed in regulatory risk-based performance standards (RBPS), 6 CFR 27.230(a)(8):

“(8) Cyber. Deter cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS), critical business system, and other sensitive computerized systems;”

More details about what should be addressed in site security plans under RBPS 8 were outlined in the Risk-Based Performance Standard guidance document. While the guidance document was published in 2009 (and never updated), much of the cybersecurity discussion is applicable today. That document discussed nine categories of security measures that were applicable to cybersecurity:

• Security policy,

• Access control,

• Personnel security,

• Awareness and training,

• Monitoring and incident response,

• Disaster recovery and business continuity,

• System development and acquisition,

• Configuration management, and

• Audits

Moving Forward

As I noted in an earlier post the RBPS could form a valuable part of the ChemLock Safety Act program, but the Guidance Document for the RBPS needs updating, and the discussions dealing with cybersecurity probably need the most work because of the changes that have occurred in cybersecurity management since the 2009 publication of that guidance.

For more details about the cybersecurity issues that could be improved in the RBPS guidance document, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemlock-and-cybersecurity - subscription required.