RBPS 8 - Cyber

Risk-Based Performance Standard (RBPS) 8 - Cyber is the performance standard that addresses the deterrence of cyber sabotage, including preventing unauthorized on-site or remote access to critical process controls, critical business systems, and other sensitive computerized systems.

Cyber systems are integrated throughout the operations of covered chemical facilities that possess chemicals of interest (COI). A comprehensive approach of appropriate security policies, practices, and people to prevent, protect, respond to, and recover from incidents helps deter cyber sabotage.

The level and degree of cyber protections expected at facilities increases in correlation to the level of cyber integration. When thinking about cybersecurity as it relates to CFATS, facilities should keep in mind their COI and the specific security issue.

Security Measures for Critical Cyber Systems

Cyber systems that a facility may consider critical include, but are not limited to, those that:

  1. Contain business or personal information that, if exploited, could result in the theft, diversion, or sabotage of a COI
  2. Connect to other systems that manage physical processes that contain a COI, or
  3. Monitor and/or control physical processes that contain a COI

The cybersecurity measures described in a covered facility’s security plan (Site Security Plan [SSP] or Alternative Security Plan [ASP]) should address how cybersecurity systems impact the security of the COI, and how the measures protect the critical cyber systems from attacks that could result in the theft, diversion, or sabotage of the COI, depending on the respective security issues(s).

Critical Business Systems

Facilities with critical business systems—such as an inventory management system—that, if exploited, could result in the theft, diversion, or sabotage of a COI should consider several security measures:

  • Develop, maintain, and implement documented and distributed cybersecurity policies and procedures including change management policies, as applicable, to their critical cyber assets
  • Maintain account access control to critical cyber systems utilizing the least privilege concept, maintain access control lists, and ensure that accounts with access to critical/sensitive information or processes are modified, deleted, or de-activated when personnel leave and/or when users no longer require access
  • Implement password management protocols to enforce password structures, ensure all default passwords have been changed (where possible), and implement physical controls for cyber systems where changing default passwords is not technically feasible
  • Ensure that physical access to critical cyber assets and media is restricted to authorized users and affected individuals
  • Report significant cyber incidents to senior management and CISA Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
  • Provide cybersecurity training for employees and contractors, as appropriate, who work with cyber assets

Critical Physical Security Systems

Often facilities that have physical security systems utilize these systems through remote connections. Therefore, facilities with remote access to systems that manage physical processes containing a COI should also consider this security measure:

  • Define allowable remote access and rules of behavior for issues related to remote access (e.g., Internet, virtual private network [VPN], gateways, routers, firewalls, wireless access points, modems, vendor maintenance connections, Internet Protocol [IP], and address ranges)

Critical Control Systems

Facilities with critical systems that monitor and/or control physical processes containing a COI should consider a number of security measures:

  • Conduct recurring audits that measure compliance with the cybersecurity policies, plans, and procedures and report results to senior management
  • Document the business need and network/system architecture for all critical cyber assets
  • Disable unnecessary system elements upon their identification and identify and evaluate potential vulnerabilities, and implement compensatory security controls
  • Identify and document systems boundaries and implement security controls to limit access across those boundaries
  • Maintain a defined incident response system for possible cyber incidents (e.g., denial-of-service attack, virus, worm attack, botnet, etc.)
  • Integrate cybersecurity into the system lifecycle for all critical cyber assets from system design through procurement, implementation, operation, and disposal
  • Monitor the critical networks in real-time for unauthorized or malicious access and alerts, and recognize and log events and incidents
  • Integrate backup power for all critical cyber systems should an emergency or incidents occur
  • Maintain continuity of operations plans, IT contingency plans, and/or disaster recovery plans

Additional Resources

Contact Information

Information provided is derived from the CFATS RBPS Guidance. For additional information on RBPS 8 and all other DHS RBPS, please visit the RBPS webpage.

For more information about the CFATS program, please contact CFATS@hq.dhs.gov.

Was this document helpful?  Yes  |  Somewhat  |  No