The U.S. Government Accountability Office (GAO) released a report last year indicating that thousands of chemical facilities in the United States are vulnerable to cyber attacks due to their reliance on outdated cybersecurity guidance. The GAO audit found that chemical facilities rely on guidance that has not been updated in a decade. Not good news for those tasked with protecting the chemical industry for attack.
Cyber attacks on the chemicals industry can have deadly consequences. For example, in 2018, malicious actors targeted a Middle Eastern company’s industrial safety systems to disrupt the industrial control system, allow attackers to gain access to safety systems, and modify safety processes that could have been physically dangerous or caused harm to people.
“Thousands of facilities that produce, use, or store hazardous chemicals could be targeted or used by terrorists in an effort to inflict mass causalities, damage, and fear,” the GAO report says. “These chemicals could be released from a facility to cause harm to surrounding populations or they could be stolen and used as chemical weapons or as their precursors (the ingredients for making chemical weapons). In addition, as reliance on information systems continues to increase, cyber-based threat adversaries—such as terrorists, criminals, or nations—could maliciously manipulate an organization’s physical security, information, and process control systems to steal chemicals or to cause harm through release or explosion.”
In order to guard against such attacks on the chemicals industry, in 2007, the U.S. Department of Homeland Security established the Chemical Facility Anti-Terrorism Standards program to identify and assess the security risk posed to chemical facilities. The CFATS program offers guidance designed to help the estimated 3,300 CFATS-covered facilities comply with cybersecurity and other standards. However, according to the GAO report, the program does not have a process to routinely review its cybersecurity guidance to ensure that it is up to date with current threats and technological advances.
“While the CFATS program has taken steps to assist high-risk chemical facilities in their efforts to improve their cybersecurity posture, it does not have a process to ensure that it is sharing current, timely, and relevant guidance with industry so that covered chemical facilities can plan accordingly and protect their critical cyber assets with the most effective and efficient technological advances from attack,” the report says. “Moreover, CFATS inspectors may not be fully equipped with the skills needed to perform cybersecurity assessments at these facilities because the program has not fully incorporated several leading practices that GAO identified as key for effective training programs; incorporated cybersecurity needs into its workforce planning processes; or tracked cyber-related workforce data. As a result, CFATS inspectors that are evaluating a facility’s cybersecurity posture may not have the knowledge, skills, and abilities to fully support the program’s cybersecurity-related mission.”
Part of the CFATS program involves the Top-Screen submission process. Any facility that possesses a chemical of interest at or above the screening threshold quantity and concentration listed in the CFATS regulation is required to report those chemicals to the United States Cybersecurity and Infrastructure Security Agency via a Top-Screen survey. Last month, CISA reached a major milestone when it received its 100,000 Top-Screen submission.
“Under the CFATS regulation, all chemical facilities that CISA identifies as high-risk must implement security measures to reduce the risk that dangerous chemicals can be weaponized by terrorists,” says Todd Klessman, Acting Associate Director for Chemical Security at CISA. “The Top-Screen submission is the first step in the CFATS process for identifying which facilities are high-risk.”
According to Klessman, if a facility is determined to be high-risk, it is required to develop and implement a security plan that meets the Risk-Based Performance Standards that are laid out in the CFATS regulation. If the facility is not high-risk, nothing further is required.
“In addition to the types of chemicals, facilities also submit other information, such as the quantity, concentration, and location of the chemicals,” Klessman says. “CISA uses all the information submitted in a Top-Screen to then determine the risk that a facility presents via a risk-based tiering methodology that accounts for vulnerability to a terrorist attack, potential consequences of a terrorist attack, and level of threat of a terrorist attack.”
CISA is the Sector Risk Management Agency for the protecting the chemical industry. Industrial Cyber talked to Klessman about what the agency is doing to secure critical infrastructure in the chemicals industry.
“The CFATS program is only one part of the nation’s network of regulations and other programs that keeps chemicals safe and secure,” Klessman says. “CISA has been and remains committed to working with our industry, federal, state, local, tribal, and territorial partners to enhance the security of the nation’s chemical industry.”
CISA works closely with the private sector and industry associations to identify assets; assess risks and facility security; prioritize needs; develop tools and resources; and implement protective programs. The agency also shares information on threats and best practices for mitigating these threats.
“At the state, local, tribal, and territorial level, CISA engages with a variety of emergency managers, emergency planners, law enforcement, first responders, public health, and other officials to ensure that those officials are aware of facilities that possess dangerous chemicals in their jurisdiction,” Klessman says. “This enables those officials to properly prepare in case of an incident involving dangerous chemicals.
CISA also works with the Chemical Sector Coordinating Council, a group of private sector entities, to engage the chemicals industry in a broad spectrum of activities to support and collaborate on protecting the chemical industry, security and resilience efforts.
“Using the wealth of knowledge, lessons learned, and expertise that CISA has gleaned from more than 10 years of implementing the CFATS regulation, CISA’s Chemical Security program office is also currently developing additional nonregulatory chemical security resources and services to ensure that all facilities that may possess, manufacture, transport, distribute, or use dangerous chemicals can enhance their security posture regardless of regulatory status,” Klessman says. “This voluntary chemical security initiative is still under development, but will likely include on-site security consultations, best practice and security guidance resources, chemical security exercises, and chemical security training.”
As part of its efforts in protecting the chemical industry, CISA works to enhance coordination, support information sharing, and minimize burden on the regulated community. CISA also collaborates with other federal agencies on the Executive Order on Improving Chemical Facility Safety and Security’s National Working Group.
“The chemical industry is facing the same kind of cyberattacks as other industries: denial-of-service attacks, man-in-the-middle attacks, Domain Name System (DNS) tunneling, viruses, ransomware, malware, worms, botnets, phishing, spear phishing, password attacks, advanced persistent threat (APT), SQL injections, and zero-day exploits, among others,” Klessman says. “While the cyberattacks are similar to other industries, the potential consequences for the chemical industry can be much more severe.
“The chemical industry has many process control and business systems that are increasingly internetworked but resistant to standard information security tools and practices. When not properly secured or patched, a cyberattack on one of these systems could potentially cause chemical releases, explosions, or other sabotage incidents that can inflict both significant injuries and fatalities to humans and damage the environment.”