The U.S. Government Accountability Office (GAO) has identified and major gaps in Department of Homeland Security (DHS) procedures for oversight of cybersecurity at high-risk chemical facilities. According a new GAO, the Department of Homeland Security must update guidelines and track its progress to minimize the chemical industry’s vulnerability
This is alarming news. Washington has designated chemical plants as critical infrastructure that must remain functional, even in the face of challenges such as natural disasters or disease outbreaks. The government has also identified cyberattacks as a major threat to such facilities, on the grounds that security breaches could threaten public health and safety by enabling the theft, destruction, or unauthorized release of hazardous materials.
Nevertheless, the GAO has drawn up a plan for overcoming these challenges – and DHS has concurred with its recommendations.
DHS cybersecurity guidelines are out of date
In a report released earlier this month, the GAO identified the main problem as DHS’ continued reliance on the Chemical Facility Anti-Terrorism Standards (CFATS) program, which covers more than 3,300 facilities that are designated as high-risk.
The report noted that the department had drawn up CFATS in 2007 and had not updated it in more than a decade, even though the program has internal control standards that call for periodic reviews. As a result, it said, the security guidance and training resources that DHS provides to entities that produce, store, or use hazardous chemicals are based on outdated guidelines.
In other words, the department has not kept pace with all of the changes in information technology (IT) and operational technology (OT) over the last 10 years.
This gap is not a problem for all high-risk facilities. According to the report, representatives of one chemical industry group explained that some large corporations had taken matters into their own hands. The representatives also noted, though, that not all companies were capable of taking this course.
“Officials at one of the associations said that due to the passage of time since its issuance, the larger corporations may no longer find the guidance as useful because their cybersecurity programs have matured beyond it,” the report said. “However, these same association officials also acknowledged that smaller companies with less sophisticated information and industrial control systems and with fewer resources likely find the DHS guidance more applicable and useful.”
The GAO report contains a call to action
Under these circumstances, the GAO report states, both DHS and its Cybersecurity and Infrastructure Security Agency (CISA) unit should take certain steps to address the gaps identified in cybersecurity oversight for the chemical industry. Specifically, it called on the assistant director of DHS’ Infrastructure Security Division to improve CFATS by undertaking the following six tasks:
- introduce a documented process for regular review and revision of the cybersecurity guidelines with which high-risk chemical guidance must comply
- develop methods for evaluating the contributions that cybersecurity training sessions make to the CFATS program’s goals
- develop methods for tracking inspectors’ participation in and completion of cybersecurity training courses
- develop methods for assessing the effectiveness of training options for cybersecurity inspectors
- draw up a workforce plan to ensure that the CFATS program addresses the current cybersecurity challenges facing chemical facilities and analyzes gaps in capacity to meet those challenges
- make information available to the public on chemical facilities’ compliance with current cybersecurity standards and on inspectors’ qualifications, using such means as updating the CFATS inspection database system
Although these recommendations address six separate issues, they converge on a single point: the need for accountability through self-monitoring. That is, they call for DHS to track its progress, to analyze its results, to keep pace with developments in other areas, and to be prepared to make changes when circumstances or available data indicate that such action is necessary.
Broadly speaking, DHS has received this advice favorably. When asked to comment, the department concurred with all of the GAO report’s recommendations for addressing gaps in cybersecurity oversight of chemical facilities. It also pledged to take action on these six fronts, saying that it would address the first five points by the end of 2020 and intended to hire an IT contractor to address the last point by the end of 2021. The contractor will help make CISA’s existing Chemical Security Assessment Tool (CSAT) easier to search, it explained.