From the U.S. Government Accountability Office, www.gao.gov

Transcript for: Chemical Facilities Cybersecurity

Description: Nick Marinos and Nathan Anderson join the Watchdog Report
to discuss a Department of Homeland Security program providing a set of
cybersecurity standards for chemical facilities.

Related GAO Work: GAO-20-453, Critical Infrastructure Protection:
Actions Needed to Enhance DHS Oversight of Cybersecurity at High-Risk
Chemical Facilities

Released: May 2020

[ Intro Music ]

[Nathan Anderson:] Those folks tasked with protecting American citizens
need to have the knowledge, skills, and abilities to be able to stay on
top of this threat landscape. 

[Matt Oldham:] Welcome to GAO's Watchdog Report, your source for news
and information from the U.S. Government Accountability Office. I'm Matt
Oldham. The Department of Homeland Security has a program to evaluate
the cyber security of chemical facilities. It's called Chemical Facility
Anti-Terrorism Standards, or CFATS, and it covers more than 3,000
locations. And with me to talk about a GAO report on CFATS are Nathan
Anderson, a Homeland Security and Justice director, and Nick Marinos, an
Information Technology and Cyber Security director. Thank you both for
joining me.
 
[Nathan Anderson:] Thank you. 

[Nick Marinos:] You bet, Matt.

[Matt Oldham:] So, Nick, why is cyber security important for the
chemical industry?

[Nick Marinos:] So, Matt, let's step back and just recognize that, you
know, chemical facility operations, this is a part of the nation's
critical infrastructure. So just like any other part of that critical
infrastructure, IT technology has become a critical component of
day-to-day activities. So over the last decade, we've seen companies in
the chemical sector look to gain efficiencies by connecting together
their physical security and the technology that they rely on for normal
operations at their facilities. So on the one hand this is really good
because it offers advantages to system operators like being able to work
remotely which, obviously, could be very helpful these days in light of
current social distancing protocols. On the other hand, though, it's no
surprise that this makes operators and their systems more susceptible to
cyber attacks. So let me talk through maybe three of those key cyber
risks that facilities and their systems sort of face. The first would be
ineffective protection of cyber assets, so basically poor cyber hygiene
which can increase the likelihood that an incident or cyber attack could
occur. And this could result in the disruption of operations, or it
could be inappropriate access or destruction of sensitive information.
And this leaves operators not only vulnerable to intentional activities
but also unintentional events like natural disasters, failures in IT
systems. And then the second are those intentional threats. So those
would be like corrupt employees, criminal groups, nation-states, folks
that seek to leverage the organization's dependence on technology. And
then finally the actual techniques that cyber threat adversaries make
use of are another risk. So these would include using hacking methods to
do harm through various platforms like websites, e-mail, wireless
communications, or even social media. So if you combine all those risks,
you can see why it's so critical for chemical facility operators to take
cyber security seriously.

[Matt Oldham:] And, Nathan, what's DHS's role here?

[Nathan Anderson:] Well, Matt, in most critical infrastructure sectors,
DHS plays a coordinating and information-sharing role, but for chemical
facilities, DHS has a regulatory role through the CFATS program. In
essence, DHS's role is to identify and assess vulnerabilities at the
high risk chemical facilities and ensures that such facilities have the
proper security measures in place. DHS has developed 18 risk-based
security standards, one of which is cybersecurity, but I want you to
think of these as security requirements. DHS works with chemical
facilities to ensure they have proper security measures to meet these
standards, and to help reduce cyber-related risks associated with
certain hazards of chemicals.

[Matt Oldham:] Are there any challenges that DHS is facing when it comes
to ensuring the cybersecurity for chemical facilities?

[Nathan Anderson:] Absolutely. Some of these challenges stem from the
different types of chemical facilities that the CFATS program regulates.
Those can be from huge petrochemical facilities that may already have
comprehensive security measures to mom-and-pop stores in the heartland
that sell fertilizer and may not have even known that they were
regulated. So you have a regulated community of 3,300 facilities that is
very broad in scope, and this requires flexible security standards. What
is good for an oil refinery in Texas may not be good or feasible for a
corner store in rural Iowa. I'd also like to add, though, with regard to
the challenges we found, DHS currently lacks a process to ensure the
sharing of current, timely, and relevant cyber security guidance with
the facilities and the inspectors. The existing guidance is more than 10
years old, but the cyber threat landscape changes all the time and this
can make it difficult for chemical facilities to be up-to-date with
critical cybersecurity information to help protect their cyber systems.

[ Music ]

[Matt Oldham:] So it sounds like the CFATS program may not be providing
the most current cybersecurity guidance, and this could leave the
chemical facilities more vulnerable to cyber threats. Nick, what steps
could DHS take to address these vulnerabilities?

[Nick Marinos:] Well, I think you hit it on the head there, Matt. I
think the first one is for DHS to make sure that they have some kind of
process, some sort of system for regularly reviewing that guidance that
Nathan mentioned, and then making sure that it's updated as needed. And
then the second thing, Nathan mentioned the importance of inspections.
And we can't really emphasize enough the importance of ensuring that
those inspectors have the right skills and abilities to be able to
identify what those cyber risks are. So two other things that we think
are important are for DHS to improve the way that it evaluates the kind
of training that these inspectors are taking to ensure that they have
the right skills they need. And then finally I think we both feel a
strong need for DHS to take a more broad-based look at the ability for
its work force to actually meet these cybersecurity needs and then come
up with an action plan so they can address any of those gaps that are
needed to address.

[Matt Oldham:] And, Nathan, what's the bottom line of this report?

[Nathan Anderson:] Bottom line, beyond the need for the up-to-date
guidance that Nick just spoke to, DHS cannot ensure that it has the
right people with the right knowledge, skills, and abilities to assess
both cyber risks and protective measures. You know, the reason that this
needs to change is that you have a cyber threat that changes daily. When
guidance is 10 years out-of-date, when the folks in the federal
government tasked with assessing whether or not facilities that have
dangerous chemicals have the ability to protect from a changing threat
landscape, those inspectors, those folks tasked with assessing and in
certain cases protecting American citizens, need to have the knowledge,
skills, and abilities to be able to evolve and change and stay on top of
this threat landscape.

[Matt Oldham:] Nathan Anderson and Nick Marinos were talking about a GAO
report on a DHS program for evaluating the cyber security of chemical
facilities. Thank you both for your time, gents.

[Nathan Anderson:] Thank you, Matt.

[Nick Marinos:] Thanks a lot, Matt.

[Matt Oldham:] And thank you for listening to the Watchdog Report. To
hear more podcasts, subscribe to us on Apple podcasts. Make sure you
leave a rating and review to let others know about the work we're doing.
For more from the congressional watchdog, the U.S. Government
Accountability Office, visit us at gao.gov.

[ Music ]