ChemLock and Cybersecurity

This is part of a series of blog posts looking at the potential for the authorization of CISA’s existing ChemLock program and using it as a voluntary replacement for the now defunct Chemical Facility Anti-Terrorism Standards (CFATS) program. Other posts in this series include:

• CFATS is Dead,

• Making ChemLock Safety Act Compliant – ChemLock Program Background,

• ChemLock and Tiering,

• Reader Comment – TSDB Screening for ChemLock,

• ChemLock and TSDB Screening,

• ChemLock and Risk Based Performance Standards,

• ChemLock and Chemical-Terrorism Vulnerability Information,

• ChemLock and Information Sharing,

• ChemLock and DHS Chemicals of Interest.

NOTE: Previous articles in this series have been removed from the CFSN Detailed Analysis paywall.

The CFATS programs was one of the first federal security programs that specifically addressed cybersecurity issues, including control systems. The issue was initially addressed in regulatory risk-based performance standards (RBPS), 6 CFR 27.230(a)(8):

“(8) Cyber. Deter cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS), critical business system, and other sensitive computerized systems;”

More details about what should be addressed in site security plans under RBPS 8 were outlined in the Risk-Based Performance Standard guidance document. While the guidance document was published in 2009 (and never updated), much of the cybersecurity discussion is applicable today. That document discussed nine categories of security measures that were applicable to cybersecurity:

• Security policy,

• Access control,

• Personnel security,

• Awareness and training,

• Monitoring and incident response,

• Disaster recovery and business continuity,

• System development and acquisition,

• Configuration management, and

• Audits

Cybersecurity Metrics

The Guidance document also provided metrics which could be used to determine if the facility’s site security program adequately addressed cybersecurity issues. Since the CFATS program was a risk-based program, those metrics were frequently different for each of the four different Tiers to which a facility could have been assigned based upon the DHS risk assessment. Actually, for the cybersecurity portion of the RBPS the metrics for most of the subcategories, the same risk metric applies to all facilities. For all of the rest there are just two separate tier-based metrics; for Tiers 1 and 2, and for Tiers 3 and 4.

For example, under the metric for Incident Response (Metric 8.5.3, page 80) Tier 1 and Tier 2 facilities measure is: “The facility has a defined 24 × 7 × 365 computer incident response capability for cyber incidents.” For Tier 3 and Tier 4 facilities the measure is: “The facility has defined computer incident response capability for cyber incidents.” Each of these metrics is broadly defined and attempts to avoid describing any specific security measure.

NIST CSF

A lot has happened in cybersecurity since the RBPS guidance document was published in 2009. One of the most obvious was the publication of the NIST Cybersecurity Framework (CSF). The CSF is a corporate risk management tool that helps organizations take a structured, detailed look at the current cybersecurity practices and identify areas that need additional work. In many ways it is similar in concept to RBPS metrics in that it avoids ‘requiring’ specific security measures.

As part of the requirements for achieving Safety Act certification under the ChemLock program, it would probably be helpful to require facilities to develop a CSF Organizational Profile. Having an outside agency (this could be defined to include a corporate cybersecurity entity) complete the assessment would provide a more unbiased look at the current state of cybersecurity for the facility. Since these Organizational Profiles are not pass/fail, the ChemLock requirement would be for a facility to have a current (every two or three years?) Profile, a statement on the gaps that the facility has identified from that profile, and having a prioritized plan for addressing those gaps.

Ransomware

Another area of cybersecurity concern that has arisen since 2009 it the problem of ransomware. These types of attack are not specifically a chemical security concern but may have chemical security ramifications. For ChemLock facilities the priority is minimizing those chemical security issues. For instance, critical cyber systems that affect the safety and security of chemicals of interest (COI) should be isolated from other corporate IT systems and the internet to minimize the chances that a ransomware attack could affect those systems. Recognizing that there is no way to perfectly assure that those critical systems are completely protected, processes have to be put in place to assure that those systems can be safely shutdown in the even of a ransomware attack and can be manually operated in a way to assure the safety and security of those COI.

The RBPS cybersecurity guidance needs to be updated to address these issues related to ransomware attacks.

Vulnerability Management

The number of new system vulnerabilities identified and publicly reported has grown by leaps and bounds since the RBPS guidance document was published. Facility cyber systems have become decreasingly secure because of the expansion of the number of researchers actively looking for and reporting vulnerabilities in cyber systems. No cybersecurity program can be considered to be effective if it does not address this problem.

ChemLock facilities participating in the Safety Act certification process are going to have to have some sort of program in place to identify publicly reported vulnerabilities in all of the components of their critical cyber systems protecting, controlling, and managing COI. Facilities would then have to have a process in place to evaluate those vulnerabilities and determine their priority for mitigating those problems. Special attention would have to be made to address the issue of vulnerabilities that had publicly available exploits, or were known to be exploited in the wild. A tool that could be useful in this regard would be CISA’s Known Exploited Vulnerabilities (KEV) catalog.

The RBPS cybersecurity guidance needs to be updated to address these issues related to vulnerability management.

Moving Forward

As I noted in an earlier post the RBPS could form a valuable part of the ChemLock Safety Act program, but the Guidance Document for the RBPS needs updating, and the discussions dealing with cybersecurity probably need the most work because of the changes that have occurred in cybersecurity management since the 2009 publication of that guidance. The discussion above points out some of the areas that need to be addressed.