Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and ResilienceCybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience
CISA Logo

Search

 

America's Cyber Defense Agency
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
    CISA Conferences
    CISA Live!
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
  • About
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    CISA GitHub
    CISA Central
    Contact Us
    Subscribe
    Transparency and Accountability
    Policies & Plans

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Breadcrumb
  1. Home
  2. Topics
  3. Critical Infrastructure Security and Resilience
  4. Chemical Security
  5. Chemical Security Assessment Tool (CSAT) Ivanti Notification
Share:

Chemical Security Assessment Tool (CSAT) Ivanti Notification

Related topics:
Chemical Security, Critical Infrastructure Security and Resilience

Chemical Security

  • Chemical Security Assessment Tool (CSAT) Ivanti Notification
  • Chemical Security Paperwork Reduction Act Notices for Comment

The Cybersecurity and Infrastructure Security Agency’s (CISA) Chemical Security Assessment Tool (CSAT) was the target of a cybersecurity intrusion by a malicious actor from January 23-26, 2024. While CISA’s investigation found no evidence of exfiltration of data, this intrusion may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program (PSP) submissions, and CSAT user accounts.

Following the reporting requirements under the Federal Information Security Modernization Act (FISMA), CISA notified participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program about the intrusion and potentially impacted information. 

View a copy of the CSAT Notification letters

Recommendations for Facility Action

CISA is encouraging facilities to maintain cyber and physical security measures. While the investigation found no evidence of credentials being stolen, CISA encourages individuals who had CSAT accounts to reset passwords for any account, business or personal, which used the same password. This can help to prevent possible “password spraying” attacks in the future.

For organizations that use Ivanti appliances, please review Cybersecurity Alert (AA24-060B) Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways.

Voluntary Notification Options

CISA was not authorized to, and did not collect, the address or contact information for individuals vetted under the CFATS Personnel Surety Program. As a result, CISA is unable to directly contact those individuals who had their information submitted by chemical facilities for terrorist vetting.

CISA is thereby requesting, on a voluntary basis, that facilities that received the CSAT Ivanti Notification Letter notify individuals submitted by that facility for vetting under the CFATS Personnel Surety Program of this incident. Download a template letter that facilities can use to notify personnel. Alternatively, should facilities decline to notify these individuals, CISA requests that facilities provide CISA with the contact information for individuals submitted under the CFATS Personnel Surety Program on a voluntary basis so that CISA can notify impacted individuals. Facilities can send contact information for personnel that had Personally Identifiable Information (PII) submitted for vetting under CFATS Personnel Surety Program to CFATS.Notifications@cisa.dhs.gov.

Identity Protection for Impacted Individuals

Individuals whose information was submitted for vetting under the CFATS Personnel Surety Program by their employer or a third party between December 2015 and July 2023 are eligible for identity protection services.

To get more information about the identity protection services and to enroll in these services, please contact (888) 377-7912. The services call center will be available 24 hours a day, 7 days a week.

Webinar Information

In addition to the notifications, CISA hosted two webinars for stakeholders during which we reviewed the information provided in the frequently asked questions. The first webinar was held Monday, June 24, 2024, at 2:30 pm ET (11:30 am PT). The second webinar was held on Tuesday, July 9, 2024, at 2:30 pm ET (11:30 am PT).

CSAT Notifications Email Distribution List

To receive updates on the latest information regarding the CSAT notifications, we recommend you subscribe to the new "CSAT Notifications" distribution list.

Subscribe to the CSAT Notifications distribution list

Frequently Asked Questions

How was this compromise identified?

On January 26, CISA identified potentially malicious activity affecting the CSAT Ivanti Connect Secure appliance. During the investigation, we identified that a malicious actor installed an advanced webshell on the Ivanti device. This type of webshell can be used to execute malicious commands or write files to the underlying system. Our analysis further identified that a malicious actor accessed the webshell several times over a two-day period. Importantly, our investigation did not identify adversarial access beyond the Ivanti device nor data exfiltration from the CSAT environment.

Read more
What actions did CISA take to address the compromise?

CISA immediately took the system offline, isolated the application from the rest of the network, and began a forensic investigation. This investigation included technical experts from CISA’s Office of the Chief Information Officer, our Cybersecurity Division’s Threat Hunting team, and the Department of Homeland Security’s Network Operations Center. The investigation did not identify adversarial access beyond the Ivanti device nor data exfiltration from the CSAT environment. All information in CSAT was encrypted using AES 256 encryption, and information from each application had additional security controls limiting the likelihood of lateral access. Encryption keys were hidden from the type of access the threat actor had to the system.

Read more
If CISA does not have any evidence of data exfiltration, why are notifications being sent?

CISA is notifying all impacted participants in the CFATS program out of an abundance of caution that this information could have been inappropriately accessed. Even without evidence of data exfiltration, the number of potential individuals and organizations whose data was potentially at risk met the threshold of a major incident under the Federal Information Security Modernization Act (FISMA).

Read more
Where can I get more information on this cybersecurity incident?

For more on this type of malicious activity, visit Cybersecurity Alert (AA24-060B) Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways. 

Read more
As a facility official, who do I contact if I have more questions about this incident?

Questions about this incident by chemical facilities or their third-party partners should be addressed to CISA Chemical Security at CFATS.Notifications@cisa.dhs.gov.

Read more
As a potentially impacted individual, who do I contact if I have more questions?

Individuals may reach out to CFATS.Notifications@cisa.dhs.gov for general questions or may contact the services call center established for potentially impacted individuals at (888) 377-7912.

Read more
Who is eligible for identity protection based on this compromise?

Individuals whose information was submitted for vetting under the CFATS Personnel Surety Program by their employer or a third party between December 2015 and July 2023.

Read more
What benefits will the identity protection services provide to me?

Identity protection services include credit monitoring, identity monitoring, identity theft insurance, and identity restoration services for a period of 18 months. For any questions regarding details of the identity protection services, please contact the services call center at (888) 377-7912. The services call center will be available 24 hours a day, 7 days a week.

Read more
How do I enroll in the identity protection?

To enroll in identity protection services, please contact (888) 377-7912. The services call center will be available 24 hours a day, 7 days a week.

Read more
How long do I have to sign up for the identity protection services?

Individuals have until February 2, 2025, to enroll in identity protection services. For any questions regarding details of the identity protection services, please contact the services call center at (888) 377-7912. The services call center is available 24 hours a day, 7 days a week.

Read more
Why is identity protection not available to me?

The Department of Homeland Security performed a risk-based assessment as to which individuals may face adverse consequences if worst-case circumstances were realized. In this assessment, it was determined that individuals vetted under the CFATS Personnel Surety Program between December 2015 and July 2023 were the only population that faced this risk due to the information that was potentially exposed.

Read more
What data was collected in the CFATS Top-Screen survey?

The Top-Screen was an online survey that gathered information from facilities that possessed chemicals of interest (COI) at or above screening thresholds quantities and/or concentration. Information submitted in a Top-Screen may have included (but was not limited to):

  • Facility name and address
  • COI amount (quantity and concentration)
  • Chemical properties (e.g., phase, temperature, pressure)
  • Chemical storage (e.g., container type)
Read more
What data was collected in the Security Vulnerability Assessment (SVA)?

All high-risk facilities were required to complete and submit an SVA to identify the facility's use of COI, critical assets, and measures related to the facility’s policies, procedures, and resources that were necessary to support the security plan. The SVA provided an analysis of the facility's security posture and potential vulnerabilities. Information submitted in an SVA may have included (but was not limited to):

  • Cyber and physical security features
  • Location of security features
  • Use of COI and method of shipping/receiving COI
Read more
What data was collected in the Site Security Plan/Alternative Security Program (SSP/ASP)?

All high-risk facilities were required to submit a security plan that described existing or planned measures that met the CFATS risk-based performance standards (RBPS). Facilities may have submitted either an online-generated SSP or an ASP generated in their own template that holistically met security measures for their tier and security concern. Information submitted in an SSP/ASP may have included (but was not limited to):

  • How vulnerabilities from SVA were addressed
  • Security measures for each COI
  • How security measures met or exceeded the RBPS, such as:
    • Type of delay barriers (fencing, locks, access control system)
    • Type of alarms
    • Type of cybersecurity controls
Read more
What data was collected in the Personnel Surety Program?

The CFATS Personnel Surety Program gathered Personally Identifiable Information (PII) about individuals seeking access to restricted areas and critical assets to be vetted for terrorist ties. At minimum, information provided under Personnel Surety Program must have included an individual’s name, date of birth, and citizenship or gender. Facilities may have chosen to provide additional PII, including aliases, place of birth, passport number, redress number, Global Entry ID number, or Transportation Worker Identification Credential (TWIC) ID number.

Read more

Contact Information

Questions about this incident by chemical facilities or their third-party partners should be addressed to CISA Chemical Security at CFATS.Notifications@cisa.dhs.gov. 

Potentially impacted individuals should contact the identity protection services call center at (888) 377-7912.

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • X
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 1-844-Say-CISA SayCISA@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback