Critical Infrastructure Protection:

Actions Needed to Enhance DHS Oversight of Cybersecurity at High-Risk Chemical Facilities

GAO-20-453: Published: May 14, 2020. Publicly Released: May 14, 2020.

Multimedia:

Additional Materials:

Contact:

Nathan J. Anderson
(206) 287-4804
andersonn@gao.gov

 

Nicholas H. Marinos
(202) 512-9342
marinosn@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Terrorists and others may pose a cyber-threat to high-risk chemical facilities. Control systems, for example, could be manipulated to release hazardous chemicals. The Department of Homeland Security started a program more than a decade ago to help address these security risks.

We reviewed the program. DHS guidance designed to help about 3,300 facilities comply with cybersecurity and other standards has not been updated in over 10 years. Also, its cybersecurity training program for its inspectors does not follow some key training practices.

We made 6 recommendations, including that DHS review and update guidance and improve training.

A chemical facility

A chemical facility

Multimedia:

Additional Materials:

Contact:

Nathan J. Anderson
(206) 287-4804
andersonn@gao.gov

 

Nicholas H. Marinos
(202) 512-9342
marinosn@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Chemical Facility Anti-Terrorism Standards (CFATS) program within the Department of Homeland Security (DHS) evaluates high-risk chemical facilities’ cybersecurity efforts via inspections that include reviewing policies and procedures, interviewing relevant officials, and verifying facilities’ implementation of agreed-upon security measures. GAO found that the CFATS program has guidance designed to help the estimated 3,300 CFATS-covered facilities comply with cybersecurity and other standards, but the guidance has not been updated in more than 10 years, in contrast with internal control standards which recommend periodic review. CFATS officials stated that the program does not have a process to routinely review its cybersecurity guidance to ensure that it is up to date with current threats and technological advances. Without such a process, facilities could be more vulnerable to cyber-related threats.

Potential Cyber-Related Threats to Chemical Facilities

The CFATS program developed and provided cybersecurity training for its inspectors, but GAO found that the CFATS program does not fully address 3 of 4 key training practices, or address cybersecurity needs in its workforce planning process, as recommended by DHS guidance. Specifically:

  • The CFATS program does not: (1) systematically collect or track data related to inspectors’ cybersecurity training or knowledge, skills, and abilities; (2) develop measures to assess how training is contributing to cybersecurity-related program results; or (3) have a process to evaluate the effectiveness of its cybersecurity training in improving inspector skillsets.
  • The program also has yet to incorporate identified cybersecurity knowledge, skills, and abilities for inspectors in its current workforce planning processes or track data related to covered facilities’ reliance on information systems when assessing its workforce needs.

Fully addressing key training practices will help ensure that CFATS inspectors have the knowledge, skills, and abilities for cybersecurity inspections, and identifying cybersecurity needs in workforce planning will help the program ensure that it has the appropriate number of staff to carry out the program’s cybersecurity-related efforts.

Why GAO Did This Study

Thousands of high-risk chemical facilities may be subject to the risk posed by cyber threat adversaries—terrorists, criminals, or nations. These adversaries could potentially manipulate facilities’ information and control systems to release or steal hazardous chemicals and inflict mass causalities to surrounding populations (see figure). In accordance with the DHS Appropriations Act, 2007, DHS established the CFATS program to, among other things, identify and assess the security risk posed to chemical facilities.

GAO was asked to examine the cybersecurity efforts of the CFATS program, including the extent to which the program (1) assesses the cybersecurity efforts of covered facilities, and (2) determines the specialty training and level of staff needed to assess cybersecurity at covered facilities.

GAO conducted site visits to observe the cybersecurity portion of CFATS inspections based on scheduled inspections, reviewed inspection documents, and interviewed CFATS inspectors. GAO also analyzed inspection guidance and training against key practices and assessed workforce planning documents and processes.

What GAO Recommends

GAO is making six recommendations to DHS to routinely review guidance and update, as needed; to fully incorporate key training practices; and to identify workforce cybersecurity needs. DHS concurred with the recommendations.

For more information, contact Nathan Anderson at (206) 287-4804 or andersonn@gao.gov or Nick Marinos at (202) 512-9342 or marinosn@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: DHS concurred with this recommendation and stated that CISA's Infrastructure Security Division (ISD) will work to develop a documented process for reviewing CFATS cybersecurity guidance at regularly defined intervals. DHS stated in its comments that once the process is documented and implemented, ISD will revise or supplement existing guidance, as appropriate. We will continue to monitor DHS's actions to address the recommendation.

    Recommendation: The Assistant Director of the Infrastructure Security Division should implement a documented process for reviewing and, if deemed necessary, revising its guidance for implementing cybersecurity measures at regularly defined intervals. (Recommendation 1)

    Agency Affected: Cybersecurity and Infrastructure Security Agency (CISA)

  2. Status: Open

    Comments: DHS concurred with this recommendation stated that CISA agrees that it is important to ensure training supports program goals, whether relating to inspector-specific or program-specific performance maintenance or improvement goals. Regarding inspector performance maintenance or improvement, DHS stated that, among other things, management will ensure that each inspector's individual performance plan fully captures their expected performance goals in the area of cybersecurity. We will continue to monitor DHS's actions to address this recommendation.

    Recommendation: The Assistant Director of the Infrastructure Security Division should incorporate measures to assess the contribution that its cybersecurity training is making to program goals, such as inspector- or program-specific performance improvement goals. (Recommendation 2)

    Agency Affected: Cybersecurity and Infrastructure Security Agency (CISA)

  3. Status: Open

    Comments: DHS concurred with this recommendation and stated that CISA agrees that process improvements to better document and evaluate the effectiveness of the training provided to CFATS staff are worthwhile. DHS stated in its comments that CISA will establish policies and procedures intended to ensure that all cybersecurity training provided to chemical security personnel is accounted for in a centralized mechanism. We will continue to monitor DHS's actions taken to address this recommendation.

    Recommendation: The Assistant Director of the Infrastructure Security Division should track delivery and performance data for its cybersecurity training, such as the completion of courses, webinars, and refresher trainings. (Recommendation 3)

    Agency Affected: Cybersecurity and Infrastructure Security Agency (CISA)

  4. Status: Open

    Comments: DHS concurred with this recommendation and stated that evaluating the effectiveness of training is beneficial and CISA will work to ensure that all cybersecurity courses provided to CISA chemical security staff are evaluated for effectiveness. DHS also stated that, among other things, CISA will require course evaluation forms from each attendee of any cybersecurity training provided by CISA to its chemical facility staff. We will continue to monitor DHS's actions to address this recommendation.

    Recommendation: The Assistant Director of the Infrastructure Security Division should develop a plan to evaluate the effectiveness of its cybersecurity training, such as collecting and analyzing course evaluation forms. (Recommendation 4)

    Agency Affected: Cybersecurity and Infrastructure Security Agency (CISA)

  5. Status: Open

    Comments: DHS concurred with this recommendation and stated that CISA will develop a concept of operations, which will include goals and requirements for a workforce review and planning effort to ensure the organization addresses the new program's capacity and capability to perform its regulatory, voluntary, and programmatic goals, to include its cybersecurity related functions. We will continue to monitor DHS's actions to address this recommendation.

    Recommendation: The Assistant Director of the Infrastructure Security Division should develop a workforce plan that addresses the program's cybersecurity-related needs, which should include an analysis of any gaps in the program's capacity and capability to perform its cybersecurity-related functions, and human capital strategies to address them. (Recommendation 5)

    Agency Affected: Cybersecurity and Infrastructure Security Agency (CISA)

  6. Status: Open

    Comments: DHS concurred with this recommendation and stated that CISA retains information on cyber integration levels for regulated facilities but that it is not in a readily accessible format. DHS stated in its comments that ISD will execute a contract for new information technology development support for the CSAT system which, once executed, will work with the new support contractor to build a tool to automate the locating and reporting of a facility's cyber integration level data in a more accessible format. We will continue to monitor the status of DHS's actions to address this recommendation.

    Recommendation: The Assistant Director of the Infrastructure Security Division should maintain reliable, readily available information about the cyber integration levels of covered chemical facilities and inspector cybersecurity expertise. This could include updating the program's inspection database system to better track facilities' cyber integration levels. (Recommendation 6)

    Agency Affected: Cybersecurity and Infrastructure Security Agency (CISA)

 

Explore the full database of GAO's Open Recommendations »

Jul 15, 2020

Jul 14, 2020

Jul 8, 2020

May 7, 2020

May 5, 2020

May 4, 2020

May 1, 2020

Apr 21, 2020

Looking for more? Browse all our products here