GAO: Chemical Plants Vulnerable to CyberattacksDHS Cybersecurity Guidance Not Updated in a Decade
U.S. facilities that produce, use or store hazardous chemicals are vulnerable to cyberattacks, in part because cybersecurity guidelines from the Department of Homeland Security are outdated, according to a recent audit by the General Accountability Office.
The Department of Homeland Security is responsible for managing the Chemical Facility Anti-Terrorism Standards program that focuses on providing security guidance and training for high-risk chemical facilities to ensure that chemicals stored at these facilities are not weaponized. The GAO audit found, however, that these guidelines have not been updated in nearly 10 years.
The Chemical Facility Anti-Terrorism Standards program regulates operations at about 3,300 facilities in the U.S., many of which use newer technologies, such as internet-connected devices, as critical parts of their operations, integrating them with their process control systems and physical security, the GAO report notes. This creates opportunities for malicious actors to remotely accesses these networks, making the facilities more vulnerable to cyberthreats.
"A successful cyberattack against chemical facilities' information and process control systems can disrupt or shut down operations and lead to serious consequences, such as health and safety risks, including substantial loss of life," according to the GAO audit.
The GAO made six recommendations for how DHS and its Cybersecurity and Infrastructure Security Agency unit can improve the Chemical Facility Anti-Terrorism Standards program. DHS agreed with all the recommendations, including:
- Create a process for regularly reviewing and revising the guidance on cybersecurity measures that high-risk chemical facilities need to implement;
- Develop measures to evaluate how cybersecurity training contributes to the overall goals of the Chemical Facility Anti-Terrorism Standards program;
- Ensure that cybersecurity training for inspectors is tracked and completed;
- Develop training course evaluation forms to ensure chemical facility inspectors have completed the course work;
- Create a workforce plan for the Chemical Facility Anti-Terrorism Standards program that meets the modern cybersecurity needs of these high-risk chemical facilities and ensures that any gaps in the security guidelines are addressed;
- Make information available about how well chemical facilities are integrating these cybersecurity guidelines and following inspectors' recommendations. This includes updating internal databases to ensure that they have the most recent information concerning how these facilities are developing their cybersecurity plans.
"The department remains committed to ensuring that high-risk chemical facilities are implementing appropriate physical and cyber security measures," Jim Crumpacker, a DHS spokesperson, told The Hill.
These types of high-risk chemical facilities are considered part of the nation’s critical infrastructure that’s increasingly at risk of attacks. In a report released in February, the U.S. National Counterintelligence and Security Center noted that protecting critical infrastructure was a key priority for 2020 (see: US Counterintelligence Outlines 5 Key Priorities)
Outdated Security Guidance
As part of its audit, the GAO found that since the cybersecurity section of the Chemical Facility Anti-Terrorism Standards program is so outdated, it's largely irrelevant for large chemical companies and facilities, which are now following their own security guidelines.
As part of the audit, GAO investigators interviewed officials at chemical industry associations. Some of these officials told auditors that since the DHS guidance was nearly a decade old, larger chemical corporations and facilities may no longer find them useful, and that their own security programs have already matured to address more modern threats, according to the report.
In addition, the GAO found that while Chemical Facility Anti-Terrorism Standards program provides cybersecurity training for inspectors, there is no process to evaluate the effectiveness of these training programs. Neither DHS nor its CISA unit collect any data on the training, the report notes. As a result, DHS officials were unable to provide information on which inspectors had taken the training.
DHS and CISA officials told the GAO that they have attempted to keep training up to date, but that pace of technological changes make this difficult. They noted that in 2019, they worked with an outside contractor to develop an updated training module, the report notes.
The GAO report comes as the House Homeland Security Committee is pushing for renewal of the Chemical Facility Anti-Terrorism Standards program, which is set to expire in July. The committee has passed proposed legislation to renew the program, but it's not yet been scheduled for a full House vote, according to The Hill.
Committee Chairman Bennie Thompson, D-Miss., released a statement after the audit was published, noting: "GAO makes clear that cybersecurity vulnerabilities at chemical facilities could jeopardize the safety and security of surrounding communities - an unacceptable risk."
Our nation’s chemical infrastructure is a rich target for cyberattacks. Chairman @BennieGThompson released a statement following a GAO report that shows @DHSgov’s Chemical Facility Anti-Terrorism Standards must be strengthened with legislation. Read here pic.twitter.com/87zYtaQMTG— House Homeland Security Committee (@HomelandDems) May 15, 2020