CFATS Risk-Based Performance Standard (RBPS) 8 — Cyber
As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.
Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.
CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.
If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov.
RBPS 8 — Cyber is the risk-based performance standard that addresses the deterrence of cyber sabotage, including preventing unauthorized onsite or remote access to critical process controls, critical business systems, and other sensitive computerized systems.
Cyber systems are integrated throughout the operations of high-risk chemical facilities that possess chemicals of interest (COI) under the Chemical Facility Anti-Terrorism Standards (CFATS) program. A good cybersecurity posture means taking a comprehensive view of all cyber systems and using a layered approach of policies, practices, and people to prevent, protect against, respond to, and recover from cyber sabotage or incidents such as a denial-of-service attack, virus, worm, botnet, and more.
Security Measures for Critical Cyber Systems
Cyber systems that a facility may consider critical include, but are not limited to, those that:
- Monitor or control physical processes that contain a COI.
- Contain business or personal data that could be exploited to steal, divert, or sabotage a COI.
- Connect to other cyber physical systems (CPS) that manage physical processes that contain or affect the security of a COI.
- Are identified as information technology (IT), operational technology (OT), or communications systems.
- Connect to the Internet of Things (IoT).
The cybersecurity measures described in a high-risk facility's security plan (Site Security Plan [SSP] or Alternative Security Plan [ASP]) should list all its cyber systems and describe how the measures will protect these systems from attacks that could cause a COI to be released, diverted, or stolen.
Critical Business Systems
Facilities with critical business systems (e.g., an inventory management system) that, if exploited, could result in the theft, diversion, or sabotage of a COI should consider several security measures:
- Develop, maintain, and implement documented and distributed cybersecurity policies and procedures, including change management policies, as applicable, to critical cyber assets.
- Maintain account access control using the least privilege concept, maintain access control lists, and ensure that accounts with access to critical/sensitive information or processes are modified, deleted, or deactivated immediately when personnel leave or when users no longer require access.
- Implement password management protocols to enforce password structures, change all default passwords (where possible), and implement physical controls for cyber systems where changing default passwords is not technically feasible.
- Restrict physical access to critical cyber assets and media to authorized users and affected individuals.
- Train employees and contractors who work with cyber assets in cybersecurity, as appropriate.
Critical Physical Security Systems
Often facilities that have physical security systems use these systems through remote connections. Therefore, facilities with remote access to systems that manage physical processes containing a COI should also consider this security measure:
- Define allowable remote access (e.g., internet, virtual private network [VPN], gateways, routers, firewalls, wireless access points, modems, vendor maintenance connections, Internet Protocol [IP], and address ranges), user responsibilities, and rules of behavior for remote access issues.
Critical Control Systems
Facilities with critical systems that monitor or control physical processes containing a COI should consider measures to:
- Conduct recurring audits that measure compliance with the cybersecurity policies, plans, and procedures and report results to senior management.
- Document the business need and network/system architecture for all critical cyber assets.
- Disable unnecessary system elements upon identification, identify and evaluate potential vulnerabilities, and implement appropriate compensatory security controls.
- Identify and document systems boundaries and implement security controls to limit access across those boundaries.
- Maintain a defined incident response system for possible cyber incidents (e.g., denial-of-service attack, virus, worm attack, botnet).
- Integrate cybersecurity into the system lifecycle for all critical cyber assets from system design through procurement, implementation, operation, and disposal.
- Monitor critical networks in real time for unauthorized or malicious access and alerts. Recognize and log events and incidents.
- Integrate backup power for all critical cyber systems should an emergency or incident occur.
- Maintain continuity of operations plans, IT contingency plans, and disaster recovery plans.
- CFATS: Reporting Cyber Incidents
- CISA Cyber Resource Hub
- National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC)
- Security and Privacy Controls for Federal Information Systems and Organizations
- Chemical Sector Cybersecurity Framework Implementation Guidance