Site loading image


Hardening Cyber Defenses at Chemical Facilities a Key Part of Federal CFATS Regulations

Alan Yankowski | October 24, 2017

This is Part 3 of TRC’s five-part blog series on the Department of Homeland Security’s Chemical Facility Anti-Terrorism Standards.

When people talk about the Department of Homeland Security’s Chemical Facility Anti-Terrorism Standards (CFATS), the conversation often seems to drift to the chemicals of interest (COI). And understandably so, as these are the raw materials terrorists could use to unleash a horrific attack on the United States.

People new to the CFATS program are often surprised to learn that it also contains robust guidelines for cyber security. They shouldn’t be, however, as hardening defenses against a cyber attack is essential to managing the overall risk for a facility.

In addition to physically securing chemicals, facilities subject to CFATS also need to have comprehensive cyber security policies and practices in place to prevent technology-based attacks – or at least mitigate their impact. This means preventing unauthorized access to sensitive computer or network systems, including:

  • Critical process control systems
  • Critical business systems
  • Video monitoring systems
  • Access control systems

The CFATS Cyber Security Measures cover not only the process control systems but also business systems that, if exploited, could result in the theft, diversion, or sabotage of a COI. The proper identification of threats and vulnerabilities and associated risk analysis requires facilities to create a cross-functional team to assess its systems.

The CFATS Cyber Security Measures comprise 46 questions in the following subject areas:

  • Policies and training
  • IT personnel
  • Network accounts and access
  • Network operations and system architecture
  • Network monitoring and Incident reporting
  • Cyber control and business systems
  • Cybersecurity other
  • Cyber – planned measures
  • Cyber – proposed measures

The first step in developing the cyber security portion of a CFATS Site Security Plan (SSP) is assembling comprehensive equipment inventory lists, detailed network topology drawings and copies of existing cyber policies and procedures. Once the background material is put together, an interview process will then review existing and proposed security measures, discuss daily operations, examine incident preparedness and assess resiliency.

Within the security plan, the facility must list all “critical” cyber assets. The DHS defines a critical cyber asset as a system that:

  • Contains business or personal information that could be exploited to steal, divert or sabotage a COI.
  • Is connected to other systems that manage physical processes involving a COI.
  • Monitors or controls physical processes that involve the use of a COI.

This list must include the name of the cyber asset and a brief description that demonstrates how it affects the security of the COI.

How TRC Can Help

TRC provides expert cyber security consulting to help facility owners understand this DHS regulatory program and achieve compliance. The CFATS cyber security questions can be daunting for anyone who is not a cyber specialist, and TRC can help you understand both the letter and the spirit of the requirements.

Our CFATS project teams have extensive experience with assessment, developing cyber security programs, and designing plans that have helped numerous facilities manage chemicals safely and responsibly while reducing risk. By combining in-depth knowledge of the regulations with extensive cyber security expertise, TRC can help you develop individualized compliance strategies to mitigate or manage risks.

Next Steps

Alan Yankowski

TRC’s Cyber Security Program Manager, Alan Yankowski has 30 years of experience directing complex projects that build and optimize organizational processes, measurement systems and infrastructure in a variety of industries. He has worked on physical and cyber security threat and vulnerability assessments for transit ports, public buildings, utilities and chemical facilities. He is experienced in a broad array of security programs and methodologies, including CFATS, NERC CIP, FEMA 426/452, FEMA 455 IRVS, and FTA. He holds a BA in Chemistry from the University of Rochester.

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. Read our Privacy Policy.