Following the flurry of cyberattacks that have hit the U.S. critical infrastructure in recent months, the Cybersecurity and Infrastructure Security Agency (CISA) released on Tuesday new guidelines to help chemical facilities know when to report cyber incidents.
The nation’s security agency has emphasized that the Risk-Based Performance Standard (RBPS) 8 – Cyber and RBPS 15 – Reporting of Significant Security Incidents will now call upon chemical facilities covered under the Chemical Facility Anti-Terrorism Standards (CFATS) program to establish protocols for identifying and reporting significant cyber incidents to appropriate facility personnel, local law enforcement, and the CISA, according to a new webpage and fact sheet.
The CFATS program works with ‘high-risk’ facilities to ensure security measures are in place to reduce the risk of more than 300 chemicals of interest (COI) being weaponized. High-risk facilities are assigned to one of four risk-based tiers and develop a security plan meeting the 18 risk-based performance standards (RBPS) criteria, according to the CISA.
The RBPS 8 – Cyber is a performance standard that addresses the deterrence of cyber sabotage, including preventing unauthorized onsite or remote access to critical process controls, critical business systems, and other sensitive computerized systems at chemical facilities. Cyber systems are integrated throughout the operations of high-risk chemical facilities that possess COI under the CFATS program.
An ideal cybersecurity posture would adopt a comprehensive view of all cyber systems and using a layered approach of policies, practices, and people to prevent, protect against, respond to, and recover from cyber sabotage or incidents such as a denial-of-service attack, virus, worm, and botnet.
As part of the RBPS 15 – Reporting of Significant Security Incidents and RBPS 16 – Significant Security Incidents and Suspicious Activities will complement each other and address the importance of developing protocols and procedures for promptly and adequately identifying, investigating, and reporting significant security incidents and suspicious activities in or near the site to appropriate entities.
The chemical sector is made up of several hundred thousand U.S. chemical facilities in a complex, global supply chain, which converts various raw materials into over 70,000 diverse products that are essential to modern life. Based on the end product produced, the sector can be divided into five main segments, each of which has distinct characteristics, growth dynamics, markets, new developments, and issues. These segments include basic chemicals, specialty chemicals, agricultural chemicals, pharmaceuticals, and consumer products.
Chemical facilities covered under the CFATS program should establish protocols governing the identifying and reporting of an incident to the appropriate facility personnel, as well as protocols determining whether the incident is ‘significant’ and reported to appropriate facility personnel, local law enforcement, and/or the CISA.
CFATS is an initial regulatory program that focuses specifically on security at high-risk chemical facilities while making recommendations to chemical companies to boost their security measures and decrease the likelihood of a successful cyber-attack. Managed by the CISA, the CFATS program identifies and regulates high-risk facilities to ensure they have security measures in place to reduce the risk that certain hazardous chemicals are weaponized by terrorists.
The CFATS regulation applies to facilities across industries, including chemical manufacturing, storage, and distribution, energy and utilities, agriculture and food, explosives, mining, electronics, plastics, universities and laboratories, paint and coatings, and healthcare and pharmaceuticals, among others. Chemical security is not a temporary issue. As threats evolve, the CISA is committed to working with stakeholders to protect the nation’s highest-risk chemical infrastructure.
The chemical sector is an integral component of the U.S. economy that manufactures, stores, uses, and transports potentially dangerous chemicals upon which various other critical infrastructure sectors rely. Securing these chemicals against growing and evolving threats requires vigilance from both the private and public sectors.
The Department of Homeland Security, identified as the Chemical Sector Risk Management Agency (SRMA) in Presidential Policy Directive (PPD) 21, leads the Chemical Sector’s public-private partnership and works with companies to develop tools and resources that enhance the sector’s security and resilience.