CFATS Risk-Based Performance Standard (RBPS) 8 – Cyber


RBPS 8 – Cyber is the performance standard that addresses the deterrence of cyber sabotage, including preventing unauthorized onsite or remote access to critical process controls, critical business systems, and other sensitive computerized systems.

Cyber systems are integrated throughout the operations of covered chemical facilities that possess chemicals of interest (COI) under the Chemical Facility Anti-Terrorism Standards (CFATS) program. A good cybersecurity posture means taking a comprehensive view of all cyber systems and using a layered approach of policies, practices, and people to prevent, protect against, respond to, and recover from cyber sabotage or incidents such as a denial-of-service attack, virus, worm, botnet, and more.

Security Measures for Critical Cyber Systems

Cyber systems that a facility may consider critical include, but are not limited to, those that:

  1. Monitor or control physical processes that contain a COI.
  2. Contain business or personal data that could be exploited to steal, divert, or sabotage a COI.
  3. Connect to other cyber physical systems (CPS) that manage physical processes that contain or affect the security of a COI.
  4. Are identified as information technology (IT), operational technology (OT), or communications systems.
  5. Connect to the Internet of Things (IoT).

The cybersecurity measures described in a covered facility’s security plan (Site Security Plan [SSP] or Alternative Security Plan [ASP]) should list all its cyber systems and describe how the measures will protect these systems from attacks that could cause a COI to be released, diverted, or stolen.

Critical Business Systems

Facilities with critical business systems—such as an inventory management system—that, if exploited, could result in the theft, diversion, or sabotage of a COI should consider several security measures:

  • Develop, maintain, and implement documented and distributed cybersecurity policies and procedures, including change management policies, as applicable, to critical cyber assets.
  • Maintain account access control utilizing the least privilege concept, maintain access control lists, and ensure that accounts with access to critical/sensitive information or processes are modified, deleted, or deactivated immediately when personnel leave or when users no longer require access.
  • Implement password management protocols to enforce password structures, change all default passwords (where possible), and implement physical controls for cyber systems where changing default passwords is not technically feasible.
  • Restrict physical access to critical cyber assets and media to authorized users and affected individuals.
  • Report significant cyber incidents to senior management and CISA Central at central@cisa.gov.
  • Train employees and contractors who work with cyber assets in cybersecurity, as appropriate.

Critical Physical Security Systems

Often facilities that have physical security systems utilize these systems through remote connections. Therefore, facilities with remote access to systems that manage physical processes containing a COI should also consider this security measure:

  • Define allowable remote access (e.g., internet, virtual private network [VPN], gateways, routers, firewalls, wireless access points, modems, vendor maintenance connections, Internet Protocol [IP], and address ranges), user responsibilities, and rules of behavior for remote access issues.

Critical Control Systems

Facilities with critical systems that monitor and/or control physical processes containing a COI should consider measures to:

  • Conduct recurring audits that measure compliance with the cybersecurity policies, plans, and procedures and report results to senior management.
  • Document the business need and network/system architecture for all critical cyber assets.
  • Disable unnecessary system elements upon identification, identify and evaluate potential vulnerabilities, and implement appropriate compensatory security controls.
  • Identify and document systems boundaries, and implement security controls to limit access across those boundaries.
  • Maintain a defined incident response system for possible cyber incidents (e.g., denial-of-service attack, virus, worm attack, botnet, etc.).
  • Integrate cybersecurity into the system lifecycle for all critical cyber assets from system design through procurement, implementation, operation, and disposal.
  • Monitor the critical networks in real time for unauthorized or malicious access and alerts, and recognize and log events and incidents.
  • Integrate backup power for all critical cyber systems should an emergency or incident occur.
  • Maintain continuity of operations plans, IT contingency plans, and/or disaster recovery plans.

Additional Resources

Contact Information

Information provided is derived from the CFATS RBPS Guidance. For additional information on RBPS 8 and all other DHS RBPS, please visit the RBPS webpage.

For more information about the CFATS program, please contact CFATS@hq.dhs.gov.

Was this document helpful?  Yes  |  Somewhat  |  No