Of CFATS and Protecting Chemicals of Interest
The purpose of this series is to pick a subset of the “Critical Asset” class of facilities/devices and to dig in on the attached regulatory framework(s) with a direct focus on the elements of the framework related to cybersecurity.
If you feel like there is a regulatory framework for just about everything these days, you are not alone.
Today’s framework is the Chemical Facility Anti-Terrorism Standards (CFATS) Act of 2014 which applies to any chemical facility in possession of one of 300 Chemicals of Interest (COIs).
This framework is broken into 18-Risk Based Performance Standards (RBPS) developed by the Department of Homeland Security. Of those 18, RBPS-8, directly focuses on cybersecurity.
The language of the directive is as follows:
“Deter cyber sabotage, including by preventing unauthorized on-site or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCSs), Process Control Systems (PCSs), Industrial Control Systems (ICSs); critical business systems; and other sensitive computerized systems;”
Fortunately, DHS has broken that concept down into more prescriptive rules for different classes of networked systems – Critical Business Systems, Critical Physical Security Systems, and Critical Control Systems.
For all three, the focus is primarily to limit and control physical and remote access to these networked systems. There are six key elements that stick out:
- Access control with least privilege
- Deactive outdated accounts.
- Be smarter about passwords
- Define allowable remote access
- Implement an Intrusion/Threat Detection Tool
1. Access control with least privilege
Least Privilege simply entails giving a user or user-group the absolute minimum access they need to get the job done.
For a concrete example, we can look at how we implement least privilege at Dispel: whenever we create an encrypted pathway to a critical network, we create a list of users authorized to connect to the network, and then whitelist the resources within the network available to each user.
Different pathways might go to entirely different networks or facilities, and each can have its own whitelist. The point is, in every case, each user only has access to what they absolutely need to accomplish their job. They can't access additional resources, and can't even see the pathways to other resources/facilities!
2. De-activate outdated accounts.
"Ensure that accounts with access to critical/sensitive information or processes are modified, deleted, or de-activated when personnel leave and/or when users no longer require access."
In theory, this is simple--just clean up after yourself and lock the door on the way out. In practice, because there's a huge rotating cast of characters and our to-do lists are 10,000 things long, this is where most mistakes are made.
I get it. We've all been there, and until now there was really no way around it except to juggle every Active Directory account in your organization.
But even with accounts properly disabled, I would argue that a disabled active directory account is still not secure enough. In that scenario, an unauthorized user still knows where the entry point to the perimeter of your network is. If that user is then phished, an adversary would now know where to start their attack.
A more complete security posture involves not just locking the door, but burning the bridge that got them there.
If you truly want to clean up after yourself, an unauthorized user should never know where your network perimeter resides. This may sound hard, but with the proper tools it's actually completely doable. People shouldn't have access to your systems when they don't need them--why take the risk?
(shameless self plug) At Dispel, we take cleaning up after ourselves so seriously that we built a scheduling tool to programmatically destroy the pathways during off hours, or at the end of each project.
3. Be smarter about passwords.
We all get this concept by now – always use at least one uppercase, one lowercase, one number, and one special character in a password with at least 8 characters. But, to take it a step further (and make everyone's lives easier, actually), your teams should implement a good password manager which generates super strong, unique passwords for each service.
Make sure any all accounts related to your business are protected by Multi-Factor Authentication, whether that is a good Temporary One-Time Password solution or a hardware device like a Yubikey. At Dispel, we enable MFA by default.
One final note, encourage your employees to use these tools for their own accounts at home. It is better for business if their bank information stays safe as well, I promise.
This one is a doozy. We’ve all been told humans are the weakest link, and yet we constantly throw new, more secure tools at them and tell them to re-learn how to do their job.
So, don’t rely on them to have perfect cyber-hygiene. Find and implement a tool that invisibly enforces it, so your employees can spend more time doing what you were actually paying them for in the first place.
5. Define allowable remote access.
Getting this right requires a multi-faceted approach. A strong firewall is a great start and quite simply a necessity. However, if you sit a firewall at your perimeter and let the cesspool of the internet at it, a zero-day will find its way in.
Instead keep that network offline as it should be. Create time-based access pathways only when needed, and ensure that your network detection tools are finding real threats rather than false positives. End-to-end encryption is a must, and if you do not trust the end user’s device, consider forcing them through a clean virtual desktop.
6. Implement an Intrusion/Threat Detection Tool
This is a great idea and the cyber security market is chock full of them. Full disclosure, this is not what we focus on at Dispel, but I’ll give a couple quick tips we’ve heard from customers.
a. Make sure the tool you choose is compatible with the protocols on your legacy devices,
b. Pick a tool that will assist with asset inventory/management.
c. Really focus on what the implementation requires, including how aggressive the download and maintenance load is on your legacy devices.
Hopefully this run through has been helpful, and if you get these six facets right, your organization will be well on its way to complying with CFATS!