Comments on Retrospective CFATS Cost Analysis

Last month the Cybersecurity and Infrastructure Security Agency (CISA) announced the availability of the “Retrospective Analysis of the 2007 Chemical Facility Anti-Terrorism Standards” for public review and comment. In three earlier posts I provided an analysis of document and the data shortcomings that I had discovered. Those three posts were:

CISA Publishes Retrospective CFATS Cost Analysis, and

Retrospective CFATS Cost Analysis – No Cybersecurity Costs

Retrospective CFATS Cost Analysis – Other Missing Costs

In this post I will be summarizing the missing cost estimates from those earlier documents and I will be submitting a copy of this post as my contribution to the comments that CISA has solicited.

First, CISA is to be commended, both for the presentation of this document and the effort that the Agency has expended in its preparation. The use of the data submitted by CFATS covered facilities through the Chemical Security Assessment Tool (CSAT) for the preparation of this data demonstrates the continuing saga of innovation in this regulatory program. The folks at the Infrastructure Security Compliance Division are to be saluted on their ongoing efforts to make the CFATS program more effective and efficient.

CISA’s use of the ‘proposed security measure’ comments in the CSAT submissions for the facility site security plans was a very good way of identifying new capital costs that facilities were intending to incur is support of their implementation of the CFATS program at their facilities. Having said that, however, reliance on that technique is also the cause of the major shortcomings of this cost analysis. CISA assumes that ‘current’ security measures documented in the site security plan (SSP) were in existence before the facility began the development of their SSPs. While this is almost certainly true for some of the major components of the physical security apparatus (fences, gates and guard forces for example), many facilities incurred costs improving their security programs through the long process of site security plan approval process that facilities went through in the earlier years of the CFATS program.

Additionally, many of the security improvements that were put into place by facilities were not capital expenditures. Personnel costs (including training at all levels in the organization) and security consultation/integration costs in the early stages of program implementation would not typically be included in capital costs. Many of those types of costs would be incurred before the SSP was submitted, but after the facility was identified as a high-risk facility covered by the program. CISA is only going to be able to identify those costs by feedback from the affected facilities.

Finally, there is one other category of costs that are not readily available from the current community of CFATS covered facilities; those costs incurred by facilities to reduce their risks to the extent that they would no longer be covered by the CFATS program.

 RBPS Not Specifically Coved

Looking through the retrospective analysis document, it quickly becomes apparent that CISA has expended a great deal of effort to address costs associated with the physical security of facilities and assets under the CFATS program. Unfortunately, physical security efforts are only a portion of the Risk Based Performance Standards that facilities must address in their site security plans. I can find no mention of measures supporting the following RBPS in the CISA document:

• RBPS #8 – Cyber,

• RBPS #9 – Response

• RBPS #13 – Elevated threats,

• RBPS #14 – Specific threats,

• RBPS #15 – Reporting of significant security incidents,

• RBPS #16 – Significant security incidents and suspicious activities,

With the exception of RBPS #8 and #9, the costs incurred meeting the requirements of these RBPS would be relatively low compared to the physical security costs addressed by CISA. Analysis of the costs associated with these RBPS need to address expenditures for each of the security measures listed in the RBPS Guidance document for those RBPS.

RBPS #8 - Cyber

None of the cyber related security measures listed in the Guidance are even mentioned (with the noted exceptions) in the Assessment. These measures include:

• Security policy – no matches,

• Access control – only related to facility physical security measures,

• Personnel security – no matches,

• Awareness and training – no matches,

• Monitoring and incident response – no matches,

• Disaster recovery and business continuity – no matches,

• System development and acquisition – no matches,

• Configuration management – no matches, and

• Audits – multiple mentions of non-cyber specific ‘annual internal audits’

Additionally, facilities could be expected to employ one of more of the following cybersecurity tools or processes in their efforts to protect their industrial control systems, security systems and information systems under RPBS 8:

• Firewall – no matches,

• Intrusion detection – only related to facility physical security measures,

• Anti-virus – no matches,

• Network segmentation – no matches,

• Remote access controls – no matches,

• Virtual Private Network – no matches,

The comments provided with each security measure refers to search results for the item in Assessment document.

RBPS #9 – Response

None of the security measures described in the Guidance document associated with RBPS 9, Response, are mentioned in the Assessment. These include:

• Emergency plans and processes, and

• Emergency response equipment

As with most of the security measures found in the Guidance document, these two were addressed to some extent in most facilities prior to their being notified that they were covered facilities under the CFATS program. Still, most facilities had to undertake additional efforts to ensure that they met the metrics for RPBS #9 listed in the Guidance.

Conclusion

In closing, I would like to reiterate my support for the effort that CISA has taken to date in preparing their assessment. However, there are some shortcomings in the processes and scope of that assessment that CISA is actively trying to address by soliciting comments on their efforts to date. I expect that there will be a significant response by the regulated community. To receive more comprehensive results, CISA is probably going to have to directly contact past and present covered facilities with specific questions about the costs that they incurred in preparing and implementing their site security plans.

I will be submitting a copy of this blog post to www.Regulations.gov, Docket #DHS-2014-0016.

Retrospective CFATS Cost Analysis – Other Missing Costs

This is the third post in a series on the recently published “Retrospective Analysis of the 2007 Chemical Facility Anti-Terrorism Standards”. The two earlier posts were:

CISA Publishes Retrospective CFATS Cost Analysis, and

Retrospective CFATS Cost Analysis – No Cybersecurity Costs

Missing Cost Identification Methodology

While the analysis is certainly a valuable and commendable effort CISA is looking for an identification of costs that they may have missed. Using a similar process to the one I used in my analysis of missing cyber costs, I looked at each of the Risk Based Performance Standards in the RBPS Guidance document and identified the ‘security measures’ discussed for each RBPS. I then compared those to the security measures identified in the CISA analysis.

Since I have not implemented any of these security measures in an actual facility, I have no way of estimating their cost. For many of them, CISA would be able to use the same cost estimation methodology that they used in their analysis to identify reasonable cost estimates for the security measures. For security measures like ‘product stewardship’ and ‘inventory controls’, I think that CISA is going to need direct input from affected facilities.

RBPS Missing Costs

RBPS #1 – Restrict area perimeter – extensive data,

            Missing costs: security lights and protective force,

RBPS #2 – Secure site assets – overlap with RBPS #1,

            Missing costs: Security lighting and protective force

RBPS #3 – Screen and control access – not specifically addressed,

Missing costs: Personnel identification, hand carried item and vehicle inspections, and parking security

RBPS #4 – Deter, detect and delay – overlap with RBPS #1,

Missing costs: Security lighting and protective force

RBPS #5 – Shipping, receipt and storage – not specifically addressed,

Missing costs: Product stewardship and inventory control

RBPS #6 – Theft or diversion – not specifically addressed,

Missing costs: Inventory controls, procedural measures and physical measures

RBPS #7 – Sabotage – not specifically addressed but some overlap with RPBS #2 and #8,

Missing costs: Covered elsewhere

RBPS #8 – Cyber – not specifically addressed,

            Missing costs: see earlier blog post

RBPS #9 – Response – not specifically addressed,

Missing costs: Emergency plans and processes, emergency response equipment

RBPS #10 – Monitoring – not to be confused with ‘monitoring’ in RBPS #1 and #2 – covered,

RBPS #11 – Training – covered,

RBPS #12 – Personnel surety – covered,

RBPS #13 – Elevated threats – not specifically addressed,

RBPS #14 – Specific threats, vulnerabilities or risks – not specifically addressed,

RBPS #15 – Reporting of significant security incidents – not specifically addressed,

RBPS #16 – Significant security incidents and suspicious activities – not specifically addressed,

Missing costs: incident investigation

RBPS #17 – Officials and organization – covered,

Missing costs: cybersecurity officer

RBPS #18 – Records – covered

Public Comments

Once again, I would like to emphasize that CISA is soliciting public comments on this effort. Comments on CISA cost estimates, methodology and missing costs may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket #DHS-2014-0016). Comments should be submitted by September 21^st, 2019. Note: this is the 2014 CFATS advanced notice of proposed rulemaking docket.

I will be revising the format for the data in this and the earlier cybersecurity cost blog post for my own comment to be submitted.

Retrospective CFATS Cost Analysis – No Cybersecurity Costs

When I wrote yesterday’s blog post about CISA’s retrospective cost analysis of the Chemical Facility Anti-Terrorism Standards (CFATS) program, I only did a cursory search for cybersecurity related measures before I noted: “The other area that is apparently short-changed in this assessment is the cost of cybersecurity measures.” I have since gone back and done a more organized search for discussion about cybersecurity costs associated with the program and can find nothing.

Search Methods

The first and most obvious search was for the term ‘cyber’. With just one exception the searche only turned up that word in association with the full name for CISA, the Cybersecurity and Infrastructure Security Agency. The one exception was found in a footnote (#3) on page on page 15:

“Each SSP consist of a series of questions for each of the following security topics: Detection; Delay; Response; Cyber; Security Management. For each of these topics, respondents are asked to provide information about a number of existing security measures. In addition to the questions about existing measures, there are questions regarding planned and proposed measures.”

I then looked for the following terms related to cybersecurity measures that one would expect to see employed in a chemical facility:

• Firewall – no matches,

• Intrusion detection – only related to facility physical security measures,

• Anti-virus – no matches,

• Network segmentation – no matches,

• System boundaries – no matches,

• External Connections – no matches,

• Network – no matches,

• Control system – only related to facility physical security ‘access control system’,

• Remote access – no matches,

• Virtual Private Network – no matches,

• Least privilege – no matches,

• Information storage media – no matches, and

• Safety instrumented systems – no matches

Finally, I searched for the cybersecurity security measures recommended in the Risk Based Performance Standard (RBPS) guidance document:

• Security policy – no matches,

• Access control – only related to facility physical security measures,

• Personnel security – no matches,

• Awareness and training – no matches,

• Monitoring and incident response – no matches,

• Disaster recovery and business continuity – no matches,

• System development and acquisition – no matches,

• Configuration management – no matches, and

• Audits – multiple mentions of non-cyber specific ‘annual internal audits’

Commentary

While I acknowledge that estimating the cost of many of the standard cybersecurity measures (network segmentation for instance) would be difficult to estimate using the processes described in this document, the total failure to mention any cyber related security measures or costs throws this complete document into question.

I could understand this failure to address cybersecurity costs in assessments conducted by non-technical organizations, but the failure of the CYBERSECURTY and Infrastructure Security Agency to even mention cybersecurity is a complete travesty. It also begs the question of what other major areas of security were ignored in the development of this document?

This lack of cybersecurity coverage is even worse when taken together with the recent GAO report on cybersecurity issues in the CFATS program. Perhaps Congress needs to move forward with a one-year continuation of the CFATS program (current authorization expires next month) while taking a hard look at the cybersecurity portions of the program.