From the U.S. Government Accountability Office, www.gao.gov Transcript for: Chemical Facilities Cybersecurity Description: Nick Marinos and Nathan Anderson join the Watchdog Report to discuss a Department of Homeland Security program providing a set of cybersecurity standards for chemical facilities. Related GAO Work: GAO-20-453, Critical Infrastructure Protection: Actions Needed to Enhance DHS Oversight of Cybersecurity at High-Risk Chemical Facilities Released: May 2020 [ Intro Music ] [Nathan Anderson:] Those folks tasked with protecting American citizens need to have the knowledge, skills, and abilities to be able to stay on top of this threat landscape. [Matt Oldham:] Welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office. I'm Matt Oldham. The Department of Homeland Security has a program to evaluate the cyber security of chemical facilities. It's called Chemical Facility Anti-Terrorism Standards, or CFATS, and it covers more than 3,000 locations. And with me to talk about a GAO report on CFATS are Nathan Anderson, a Homeland Security and Justice director, and Nick Marinos, an Information Technology and Cyber Security director. Thank you both for joining me. [Nathan Anderson:] Thank you. [Nick Marinos:] You bet, Matt. [Matt Oldham:] So, Nick, why is cyber security important for the chemical industry? [Nick Marinos:] So, Matt, let's step back and just recognize that, you know, chemical facility operations, this is a part of the nation's critical infrastructure. So just like any other part of that critical infrastructure, IT technology has become a critical component of day-to-day activities. So over the last decade, we've seen companies in the chemical sector look to gain efficiencies by connecting together their physical security and the technology that they rely on for normal operations at their facilities. So on the one hand this is really good because it offers advantages to system operators like being able to work remotely which, obviously, could be very helpful these days in light of current social distancing protocols. On the other hand, though, it's no surprise that this makes operators and their systems more susceptible to cyber attacks. So let me talk through maybe three of those key cyber risks that facilities and their systems sort of face. The first would be ineffective protection of cyber assets, so basically poor cyber hygiene which can increase the likelihood that an incident or cyber attack could occur. And this could result in the disruption of operations, or it could be inappropriate access or destruction of sensitive information. And this leaves operators not only vulnerable to intentional activities but also unintentional events like natural disasters, failures in IT systems. And then the second are those intentional threats. So those would be like corrupt employees, criminal groups, nation-states, folks that seek to leverage the organization's dependence on technology. And then finally the actual techniques that cyber threat adversaries make use of are another risk. So these would include using hacking methods to do harm through various platforms like websites, e-mail, wireless communications, or even social media. So if you combine all those risks, you can see why it's so critical for chemical facility operators to take cyber security seriously. [Matt Oldham:] And, Nathan, what's DHS's role here? [Nathan Anderson:] Well, Matt, in most critical infrastructure sectors, DHS plays a coordinating and information-sharing role, but for chemical facilities, DHS has a regulatory role through the CFATS program. In essence, DHS's role is to identify and assess vulnerabilities at the high risk chemical facilities and ensures that such facilities have the proper security measures in place. DHS has developed 18 risk-based security standards, one of which is cybersecurity, but I want you to think of these as security requirements. DHS works with chemical facilities to ensure they have proper security measures to meet these standards, and to help reduce cyber-related risks associated with certain hazards of chemicals. [Matt Oldham:] Are there any challenges that DHS is facing when it comes to ensuring the cybersecurity for chemical facilities? [Nathan Anderson:] Absolutely. Some of these challenges stem from the different types of chemical facilities that the CFATS program regulates. Those can be from huge petrochemical facilities that may already have comprehensive security measures to mom-and-pop stores in the heartland that sell fertilizer and may not have even known that they were regulated. So you have a regulated community of 3,300 facilities that is very broad in scope, and this requires flexible security standards. What is good for an oil refinery in Texas may not be good or feasible for a corner store in rural Iowa. I'd also like to add, though, with regard to the challenges we found, DHS currently lacks a process to ensure the sharing of current, timely, and relevant cyber security guidance with the facilities and the inspectors. The existing guidance is more than 10 years old, but the cyber threat landscape changes all the time and this can make it difficult for chemical facilities to be up-to-date with critical cybersecurity information to help protect their cyber systems. [ Music ] [Matt Oldham:] So it sounds like the CFATS program may not be providing the most current cybersecurity guidance, and this could leave the chemical facilities more vulnerable to cyber threats. Nick, what steps could DHS take to address these vulnerabilities? [Nick Marinos:] Well, I think you hit it on the head there, Matt. I think the first one is for DHS to make sure that they have some kind of process, some sort of system for regularly reviewing that guidance that Nathan mentioned, and then making sure that it's updated as needed. And then the second thing, Nathan mentioned the importance of inspections. And we can't really emphasize enough the importance of ensuring that those inspectors have the right skills and abilities to be able to identify what those cyber risks are. So two other things that we think are important are for DHS to improve the way that it evaluates the kind of training that these inspectors are taking to ensure that they have the right skills they need. And then finally I think we both feel a strong need for DHS to take a more broad-based look at the ability for its work force to actually meet these cybersecurity needs and then come up with an action plan so they can address any of those gaps that are needed to address. [Matt Oldham:] And, Nathan, what's the bottom line of this report? [Nathan Anderson:] Bottom line, beyond the need for the up-to-date guidance that Nick just spoke to, DHS cannot ensure that it has the right people with the right knowledge, skills, and abilities to assess both cyber risks and protective measures. You know, the reason that this needs to change is that you have a cyber threat that changes daily. When guidance is 10 years out-of-date, when the folks in the federal government tasked with assessing whether or not facilities that have dangerous chemicals have the ability to protect from a changing threat landscape, those inspectors, those folks tasked with assessing and in certain cases protecting American citizens, need to have the knowledge, skills, and abilities to be able to evolve and change and stay on top of this threat landscape. [Matt Oldham:] Nathan Anderson and Nick Marinos were talking about a GAO report on a DHS program for evaluating the cyber security of chemical facilities. Thank you both for your time, gents. [Nathan Anderson:] Thank you, Matt. [Nick Marinos:] Thanks a lot, Matt. [Matt Oldham:] And thank you for listening to the Watchdog Report. To hear more podcasts, subscribe to us on Apple podcasts. Make sure you leave a rating and review to let others know about the work we're doing. For more from the congressional watchdog, the U.S. Government Accountability Office, visit us at gao.gov. [ Music ]