Hardening Cyber Defenses at Chemical Facilities a Key Part of Federal CFATS Regulations

This is Part 3 of TRC’s five-part blog series on the Department of Homeland Security’s Chemical Facility Anti-Terrorism Standards.

When people talk about the Department of Homeland Security’s Chemical Facility Anti-Terrorism Standards (CFATS), the conversation often seems to drift to the chemicals of interest (COI). And understandably so, as these are the raw materials terrorists could use to unleash a horrific attack on the United States.

People new to the CFATS program are often surprised to learn that it also contains robust guidelines for cyber security. They shouldn’t be, however, as hardening defenses against a cyber attack is essential to managing the overall risk for a facility.

In addition to physically securing chemicals, facilities subject to CFATS also need to have comprehensive cyber security policies and practices in place to prevent technology-based attacks – or at least mitigate their impact. This means preventing unauthorized access to sensitive computer or network systems, including:

• Critical process control systems
• Critical business systems
• Video monitoring systems
• Access control systems

The CFATS Cyber Security Measures cover not only the process control systems but also business systems that, if exploited, could result in the theft, diversion, or sabotage of a COI. The proper identification of threats and vulnerabilities and associated risk analysis requires facilities to create a cross-functional team to assess its systems.

The CFATS Cyber Security Measures comprise 46 questions in the following subject areas:

• Policies and training
• IT personnel
• Network accounts and access
• Network operations and system architecture
• Network monitoring and Incident reporting
• Cyber control and business systems
• Cybersecurity other
• Cyber – planned measures
• Cyber – proposed measures

The first step in developing the cyber security portion of a CFATS Site Security Plan (SSP) is assembling comprehensive equipment inventory lists, detailed network topology drawings and copies of existing cyber policies and procedures. Once the background material is put together, an interview process will then review existing and proposed security measures, discuss daily operations, examine incident preparedness and assess resiliency.

Within the security plan, the facility must list all “critical” cyber assets. The DHS defines a critical cyber asset as a system that:

• Contains business or personal information that could be exploited to steal, divert or sabotage a COI.
• Is connected to other systems that manage physical processes involving a COI.
• Monitors or controls physical processes that involve the use of a COI.

This list must include the name of the cyber asset and a brief description that demonstrates how it affects the security of the COI.

How TRC Can Help

TRC provides expert cyber security consulting to help facility owners understand this DHS regulatory program and achieve compliance. The CFATS cyber security questions can be daunting for anyone who is not a cyber specialist, and TRC can help you understand both the letter and the spirit of the requirements.

Our CFATS project teams have extensive experience with assessment, developing cyber security programs, and designing plans that have helped numerous facilities manage chemicals safely and responsibly while reducing risk. By combining in-depth knowledge of the regulations with extensive cyber security expertise, TRC can help you develop individualized compliance strategies to mitigate or manage risks.

Next Steps

• Learn how TRC can help with your overall security and specific cyber security needs.
• Read the first two installments of our CFATS series, “New Issues Emerge Regarding Chemical Security” and “Security Stew: How to Follow the Federal Regulatory Recipe for Safe Chemical Storage.”
• Check out our corporate brochure to see why TRC has been a groundbreaking engineering, environmental consulting and construction management firm since the 1960s.
• Follow us on Twitter, LinkedIn and Facebook.
• Share your thoughts on this post or ask us a question in the comments section at the bottom of the page.