CFATS Regulation Changes - Cybersecurity
NOTE: This is the second in a series of posts looking at potential changes to the Chemical Facility Anti-Terrorism Standards (CFATS) regulation that CISA may be intending to make when they issue their notice of proposed rulemaking (NPRM) later this year.
With the TSA issuing multiple security directives concerning the cybersecurity of surface transportation assets, including pipelines and railroads, and multiple news sources claiming that a new impending executive order on cybersecurity for critical infrastructure, it seems clear that we must consider that CISA may be considering changes in the existing cybersecurity requirements for the CFATS program.
CISA Cybersecurity Comments
In a recent ICR notice for the CFATS program CISA announced that they intend to make a change to the SSP collection tool to “to collect facility internet Protocol (IP) address(es) and Domain Name System (DNS) information.” In addition to supporting the assessment of the Site Security Plan they note that:
“CISA may potentially use this information to integrate with other data within the U.S. Government, conduct related analysis, and provide warnings about cyber threats affecting chemical facilities. CISA expects that answering these questions will not meaningfully increase the estimated SSP/ASP completion time.”
This will not require any regulatory changes to allow CISA to collect this information, but it does indicate CISA’s intent to expand it cybersecurity coverage at CFATS facilities.
The new ‘Statement of Need’ section of the Unified Agenda entry for the pending CFATS regulation update notes:
“Additionally, CISA believes that the CFATS security performance guidelines, first issued in 2009, should be updated to better reflect lessons learned over the past decade, including substantially updating the guidelines for cybersecurity performance metrics.”
The ‘security performance guidelines’ are the Risk-Based Performance Standards (RBPS). These are not actually part of the CFATS regulations, though changes to guidance documents frequently go through the same publish and comment process that is used for regulatory changes, but I would expect to be published separately from any CFATS regulation change. There is a chance, however, that CISA intends to revise the RBPS language {6 CFR 27.230} in the CFATS regulations.
CFATS Regulatory Limitations
The CFATS authorizing statute provides an interesting limitation on the CFATS regulations that was actually specifically included in the §550 authorization language from the 2007 DHS spending bill (PL 109-295, 120 STAT 1388). This limitation is the restriction on DHS (and now CISA) from requiring specific security measures in the approval process for site security plans under the regulations. The current limitation language is found in 6 UCS 622(c)(1)(B):
“(B) Bases for disapproval The Secretary—
“(i) may not disapprove a site security plan based on the presence or absence of a particular security measure; and
“(ii) shall disapprove a site security plan if the plan fails to satisfy the risk-based performance standards established pursuant to subsection (a)(2)(C) [effectively the RBPS guidance document discussed above].”
This restriction was a special burden on chemical security inspectors early in the program as they were told that they could not tell facilities developing site security programs what security measures would be acceptable to DHS in the SSP approval process. This restriction has been eased somewhat as the number of approved site security plans has become much larger and there is a better base of examples that CSI can provide to site security managers as examples of what has worked in the field.
Still, §622(c)(1)(B)(i) will limit how specific CISA can be with any cybersecurity regulations under the CFATS program.
RBPS Requirements
The provisions of 6 CFR 27.230 establish the current risk based performance standards requirement for the CFATS program. Section 27.230(a) establishes that:
“(a) Covered facilities must satisfy the performance standards identified in this section. The Executive Assistant Director will issue guidance on the application of these standards to riskbased tiers of covered facilities, and the acceptable layering of measures used to meet these standards will vary by risk-based tier. Each covered facility must select, develop in their Site Security Plan, and implement appropriately risk-based measures designed to satisfy the following performance standards:”
Paragraph (8) provides that:
“(8) Cyber. Deter cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS), critical business system, and other sensitive computerized systems;”
Paragraph (14) provides CISA essential leeway in adding specific security concerns for facility specific situations:
“(14) Specific threats, vulnerabilities, or risks. Address specific threats, vulnerabilities or risks identified by the Executive Assistant Director for the particular facility at issue;”
Proposed Changes
CISA has not discussed in either of the two earlier advanced notices of proposed rulemaking (here and here) any particular cybersecurity revisions that it would like to see in future regulatory changes. Here are two changes that I think ought to be included.
Revise the security vulnerability assessment requirements of 6 CFR 27.215(a) to insert a new paragraph (2):
“(2) Cyber asset characterization, which includes the identification and characterization of cyber assets that support, affect, or control the critical assets identified in (1), including the programs, systems and procedures which protect such cyber assets from unauthorized access or modification;”
Revise the RBPS cyber requirement of §27.230(a)(8) to read:
(8) Cyber.
(i) Deter cyber sabotage of cyber assets identified in §27.215(a)(2), including by preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS), critical business system, and other sensitive computerized systems; and
(ii) Prevent the unauthorized modification of business systems, order controls, and inventory systems that would allow, authorize or order unauthorized transfer of chemicals of interest identified in Appendix A;