RBPS 8 – Cyber is the performance standard that addresses the deterrence of cyber sabotage, including preventing unauthorized onsite or remote access to critical process controls, critical business systems, and other sensitive computerized systems.
Cyber systems are integrated throughout the operations of covered chemical facilities that possess chemicals of interest (COI) under the Chemical Facility Anti-Terrorism Standards (CFATS) program. A good cybersecurity posture means taking a comprehensive view of all cyber systems and using a layered approach of policies, practices, and people to prevent, protect against, respond to, and recover from cyber sabotage or incidents such as a denial-of-service attack, virus, worm, botnet, and more.
ALERT: Due to the critical nature of the ongoing Microsoft Exchange vulnerabilities, the Cybersecurity and Infrastructure Security Agency (CISA) is recommending that all facilities that use Microsoft Exchange Server on-premises products review Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities, check for signs of compromise, and apply the necessary Microsoft Exchange Server updates to affected systems to protect against these exploits and avoid being compromised. While CFATS high-risk facilities are not being required to implement heightened security measures under RBPS 14 of their security plans or under other CFATS authorities at this time, CISA may activate these requirements in the future.
Security Measures for Critical Cyber Systems
Cyber systems that a facility may consider critical include, but are not limited to, those that:
- Monitor or control physical processes that contain a COI.
- Contain business or personal data that could be exploited to steal, divert, or sabotage a COI.
- Connect to other cyber physical systems (CPS) that manage physical processes that contain or affect the security of a COI.
- Are identified as information technology (IT), operational technology (OT), or communications systems.
- Connect to the Internet of Things (IoT).
The cybersecurity measures described in a covered facility’s security plan (Site Security Plan [SSP] or Alternative Security Plan [ASP]) should list all its cyber systems and describe how the measures will protect these systems from attacks that could cause a COI to be released, diverted, or stolen.
Critical Business Systems
Facilities with critical business systems—such as an inventory management system—that, if exploited, could result in the theft, diversion, or sabotage of a COI should consider several security measures:
- Develop, maintain, and implement documented and distributed cybersecurity policies and procedures, including change management policies, as applicable, to critical cyber assets.
- Maintain account access control utilizing the least privilege concept, maintain access control lists, and ensure that accounts with access to critical/sensitive information or processes are modified, deleted, or deactivated immediately when personnel leave or when users no longer require access.
- Implement password management protocols to enforce password structures, change all default passwords (where possible), and implement physical controls for cyber systems where changing default passwords is not technically feasible.
- Restrict physical access to critical cyber assets and media to authorized users and affected individuals.
- Report significant cyber incidents to senior management and CISA Central at email@example.com.
- Train employees and contractors who work with cyber assets in cybersecurity, as appropriate.
Critical Physical Security Systems
Often facilities that have physical security systems utilize these systems through remote connections. Therefore, facilities with remote access to systems that manage physical processes containing a COI should also consider this security measure:
- Define allowable remote access (e.g., internet, virtual private network [VPN], gateways, routers, firewalls, wireless access points, modems, vendor maintenance connections, Internet Protocol [IP], and address ranges), user responsibilities, and rules of behavior for remote access issues.
Critical Control Systems
Facilities with critical systems that monitor and/or control physical processes containing a COI should consider measures to:
- Conduct recurring audits that measure compliance with the cybersecurity policies, plans, and procedures and report results to senior management.
- Document the business need and network/system architecture for all critical cyber assets.
- Disable unnecessary system elements upon identification, identify and evaluate potential vulnerabilities, and implement appropriate compensatory security controls.
- Identify and document systems boundaries, and implement security controls to limit access across those boundaries.
- Maintain a defined incident response system for possible cyber incidents (e.g., denial-of-service attack, virus, worm attack, botnet, etc.).
- Integrate cybersecurity into the system lifecycle for all critical cyber assets from system design through procurement, implementation, operation, and disposal.
- Monitor the critical networks in real time for unauthorized or malicious access and alerts, and recognize and log events and incidents.
- Integrate backup power for all critical cyber systems should an emergency or incident occur.
- Maintain continuity of operations plans, IT contingency plans, and/or disaster recovery plans.
- CISA Cyber Resource Hub
- National Institute of Standards and Technology (NIST) Computer Security Resource Center
- Security and Privacy Controls for Federal Information Systems and Organizations
- Chemical Sector Cybersecurity Framework Implementation Guidance