This is Part 3 of TRC’s five-part blog series on the Department of Homeland Security’s Chemical Facility Anti-Terrorism Standards.
When people talk about the Department of Homeland Security’s Chemical Facility Anti-Terrorism Standards (CFATS), the conversation often seems to drift to the chemicals of interest (COI). And understandably so, as these are the raw materials terrorists could use to unleash a horrific attack on the United States.
People new to the CFATS program are often surprised to learn that it also contains robust guidelines for cyber security. They shouldn’t be, however, as hardening defenses against a cyber attack is essential to managing the overall risk for a facility.
In addition to physically securing chemicals, facilities subject to CFATS also need to have comprehensive cyber security policies and practices in place to prevent technology-based attacks – or at least mitigate their impact. This means preventing unauthorized access to sensitive computer or network systems, including:
The CFATS Cyber Security Measures cover not only the process control systems but also business systems that, if exploited, could result in the theft, diversion, or sabotage of a COI. The proper identification of threats and vulnerabilities and associated risk analysis requires facilities to create a cross-functional team to assess its systems.
The CFATS Cyber Security Measures comprise 46 questions in the following subject areas:
The first step in developing the cyber security portion of a CFATS Site Security Plan (SSP) is assembling comprehensive equipment inventory lists, detailed network topology drawings and copies of existing cyber policies and procedures. Once the background material is put together, an interview process will then review existing and proposed security measures, discuss daily operations, examine incident preparedness and assess resiliency.
Within the security plan, the facility must list all “critical” cyber assets. The DHS defines a critical cyber asset as a system that:
This list must include the name of the cyber asset and a brief description that demonstrates how it affects the security of the COI.
How TRC Can Help
TRC provides expert cyber security consulting to help facility owners understand this DHS regulatory program and achieve compliance. The CFATS cyber security questions can be daunting for anyone who is not a cyber specialist, and TRC can help you understand both the letter and the spirit of the requirements.
Our CFATS project teams have extensive experience with assessment, developing cyber security programs, and designing plans that have helped numerous facilities manage chemicals safely and responsibly while reducing risk. By combining in-depth knowledge of the regulations with extensive cyber security expertise, TRC can help you develop individualized compliance strategies to mitigate or manage risks.