Chemical Facility Anti-Terrorism Standards (CFATS): Cyber Reporting
As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.
Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.
CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.
If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov.
Risk-Based Performance Standard (RBPS) 8 — Cyber and RBPS 15 — Reporting of Significant Security Incidents require facilities covered under the Chemical Facility Anti-Terrorism Standards (CFATS) program to establish protocols for identifying and reporting significant cyber incidents to appropriate facility personnel, local law enforcement, and the Cybersecurity and Infrastructure Security Agency (CISA).
Examples of Critical Cyber Systems
Cyber systems may be integrated throughout the operations of chemical facilities, including controlling sensitive processes, granting authorized access, and enabling business functions. Systems that a facility may consider critical are systems related to controlling, processing, or accessing COI, which may include, but are not limited to:
- A control system (including a remotely operated control system) that directly monitors or controls manufacturing or other physical processes that contain COI.
- A business system at the headquarters office that manages ordering or shipping of a COI.
- A business system (at the facility, headquarters office, or third party) that contains personally identifiable information for those individuals (e.g., facility personnel, customers) who could be exploited to steal, divert, or sabotage a COI.
- An access control or security monitoring system that is connected to other systems.
- Enterprise resource planning systems that conduct critical functions in support of chemical processes for COI or a COI supply chain activity.
- Email and fax systems used to transmit sensitive information related to ordering or shipping of a COI.
- A noncritical control system on the same network as a critical control system.
- A sales system that is connected to the data historian for a critical control system.
- A watchdog system or Safety Instrumented System (SIS) for a critical control system.
- A system hosting critical or sensitive information that, if exploited, could result in the theft or diversion of a COI or sabotage its processing (e.g., website, intranet).
A cyberattack can have significant physical consequences—especially in a high-risk chemical facility that possesses systems vulnerable to cyber sabotage. Even seemingly noncritical systems may provide backdoor access to systems that manage critical processes. Having a good cybersecurity posture means taking a comprehensive view of all cyber systems and using a layered approach of policies, practices, and people to prevent, protect against, respond to, and recover from cyber incidents.
Examples of Cyber Incidents
Incidents that could be assessed as significant cyber incidents that high-risk facilities should consider reporting to CISA include, but are not limited to:
- Known security issues, vulnerabilities, and exploits that impact the COI asset areas or system.
- Attempts to gain unauthorized access to a critical cyber system.
- Threats to operational technology (OT) (e.g., Supervisory Control and Data Acquisition [SCADA] systems, Distributed Control Systems [DCSs], Process Control Systems [PCSs], Industrial Control Systems [ICSs]).
- Ransomware incidents.
- Phishing, malware, trojan horse, or virus attacks that were not contained using cybersecurity software tools, practices, and techniques.
- Structured Query Language (SQL) injections where malicious code is injected into a server and forces it to disclose private data.
- Attempts to gain unauthorized access to a system's wireless network or mobile devices on the network.
- Changes to a system's firmware, software, or hardware without the system owners' consent.
- Disruption or denial of service (DOS), or distributed denial of service (DDOS) attempts.
- Any effects on critical infrastructure or core government functions; or impacts to national security, economic security, or public health and safety systems.
Before an Incident
The easiest way for a facility to prepare its employees to do their part is to clearly explain to them—and especially to security staff—how to identify, respond to, and report a cyber incident. In the cybersecurity section of a facility's Site Security Plan (SSP) or Alternative Security Program (ASP), the facility should list all of its cyber systems, describe how the measures will protect these systems, and provide reporting protocols for a cyber incident. Before a cyber incident, the facility should identify to whom an incident will be reported.
Contacts to Report Significant Cyber Incidents:
- For more questions on this topic or CISA in general, please contact Central@cisa.gov.
- To report anomalous cyber activity or cyber incidents 24/7, email firstname.lastname@example.org or call -888-282-0870.
- Facility Cybersecurity Officer
- Facility Security Officer
- Chemical Security Inspector
Reporting a Cyber Incident to CISA
Information sharing is critical, as timely warnings of attacks, incidents, and network abnormalities can reduce the number of victims and lessen the impact. Once a cyber incident has been detected and response measures in the facility's security plan have been initiated, high-risk facilities are required to report anomalous cyber activity and cyber incidents in accordance with their SSP or ASP.
When contacting CISA Central, facilities should indicate that they are "critical infrastructure" and fall within the Chemical Sector. Facilities should also include a description of the incident, indicate that they are regulated under CFATS, and include the facility identification number (i.e., FID) issued to them by CISA when they registered their facility in the Chemical Security Assessment Tool (CSAT).
After an Incident
Facilities are expected to retain the incident reporting number issued to them as evidence that they have complied with the significant incident reporting requirements under RBPS 15. Generally, a Chemical Security Inspector follows up on the incident report and subsequently conducts an interview that may solicit additional information. Facilities should be prepared to provide the incident number to the Chemical Security Inspector.
- RBPS 8 — Cyber
- RBPS 15 — Significant Security Incidents
- CISA's Role in Industrial Control Systems
- CISA Cyber Resource Hub
- Local Federal Bureau of Investigation (FBI) Offices
- Chemical Sector Cybersecurity Framework Implementation Guidance
- Computer Security Resource Center