DHS Chemical Security Program:
Cyber Security Requirements
Steven Burns
Energy Bar Association
Electricity Regulation & Compliance Committee System Reliability, Planning & Compliance Committee
Summary
Certain energy facilities, including power
plants, may be covered under the chemical
security program.
A covered facility must assess its vulnerability
to cyber attack and develop security
measures to respond to identified
vulnerabilities.
Special rules, including some affecting
electronic communications and records
management, govern “Chemical-terrorism
Outline
The DHS chemical security program: Origins
and potential application to electric utilities
Security Vulnerability Assessment (SVA):
Cyber security elements
Site Security Plan (SSP): Cyber security
elements
Chemical-terrorism Vulnerability Information
The DHS chemical security program
Initial authorization: DHS Appropriations Act of 2007,
§ 550
─ Authorized security regulations for “chemical facilities” that “present high levels of security risk”
─ Three-year authorization; expires October 4, 2009
DHS regulations:
─ Proposed rule (to be codified at 6 C.F.R. Part 27): December 28, 2006
─ Interim final rule and proposed list of chemicals of interest (Appendix A): April 9, 2007
─ Final rule and final Appendix A: November 20, 2007
DHS has since provided additional guidance through
The DHS chemical security program
“Chemical facility”
─ One possessing the “screening threshold quantity” of any of the chemical of interest on the list
Examples, depending on chemicals stored on site: ─ Coal-fired power plant (due to chlorine, anhydrous
ammonia, hydrazine, etc.)
─ Plant under major construction
Note: Additional instructions on chemical concentrations,
method of storage, etc., may affect applicability.
Exemptions: Several categories of facilities, including
regulated nuclear facilities, are exempt from the program.
─ Every chemical facility must submit a “Top-Screen” to DHS, which includes a chemical inventory.
The DHS chemical security program
“Covered” facility
─ One determined by DHS, based on the Top-Screen
submission, to pose a high security risk, based on quantity of chemicals, method of storage, proximity to population, etc. ─ “Tiered” from highest risk (Tier 1) to lowest risk (Tier 4)
─ Covered facilities are subject to additional program elements and requirements, including Security Vulnerability
Assessments (SVAs) and Site Security Plans (SSPs).
Note: The regulations provide detailed instructions for what must be included in the SVA and SSP. However, a Tier 4
facility may submit an alternative SVA, and any covered facility may submit an alternative SSP, the elements of which may differ from the regulations.
Security Vulnerability Assessment
(SVA)
A covered facility must submit an SVA to DHS for
approval.
─ The facility submits the SVA to DHS through a series of on-line forms, including an extensive questionnaire.
The SVA requires identification and explanation of a
broad range of security issues, including:
─ An identification and description of—
Cyber control system Cyber business system
Security Vulnerability Assessment
(SVA)
Cyber control system:
─ A system that can control the chemical
process(es) of the facility and whose failure or
misuse can result in the release, theft/diversion or sabotage with respect to the chemical of interest
The SVA instructions provide the following
examples of cyber control systems: Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process
Control Systems (PCS), and Industrial Control Systems (ICS).
Security Vulnerability Assessment
(SVA)
Cyber business system:
─ An information system intended to improve the organization’s competitive position or support its corporate strategy
According to the SVA instructions, “Possible
examples of these types of systems include business management systems like SAPTM or
inventory management systems.”
─ Applicable only if the facility’s primary security issue is theft or diversion
Security Vulnerability Assessment
(SVA)
SVA questions regarding cyber control and
business systems:
─ External access? (Internet, wireless, etc.)
─ Limits on portable equipment such as laptops, PDAs, flash drives, smart cell phones, etc.?
─ Have access restrictions been validated through testing by information technology (IT) security professionals?
─ Documented cyber security policies, plans, and procedures commensurate with the IT operating environment?
Security Vulnerability Assessment
(SVA)
SVA questions regarding cyber control and
business systems (continued):
─ “Least privilege” access (based on roles and responsibilities)?
─ Default passwords changed?
─ Accounts locked after several unsuccessful logins?
─ Background checks for personnel in critical or sensitive positions?
Security Vulnerability Assessment
(SVA)
SVA questions regarding cyber control and
business systems (continued):
─ Physical access to sensitive or restricted areas restricted to those with appropriate need?
─ Cyber security training?
─ Logging and reporting practices for various cyber events?
─ Business requirement for all external connections? ─ Regular software and hardware patching,
Security Vulnerability Assessment
(SVA)
SVA questions regarding cyber control and
business systems (continued):
─ Means to identify and measure cyber security risks based on cyber security methodologies, standards, or best practices?
─ Network and system-level security tests on a regular basis and after upgrades / patches? ─ Vulnerability solutions appropriate for the
environment (e.g., firewalls configured for minimum business or operational needs)?
Site Security Plan (SSP)
A covered facility must submit an SSP to DHS for
approval.
SSP must:
─ Address vulnerabilities identified in the SVA and provide security measures to address each vulnerability
─ Explain how security measures will address the applicable risk-based performance standards (RBPS) and potential modes of terrorist attack
DHS may not disapprove an SSP based on the inclusion
or exclusion of any particular security measure
Site Security Plan (SSP)
RBPS No. 8:
─ “Cyber. Deter cyber sabotage, including by
preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process
Control Systems (PCS), Industrial Control
Systems (ICS), critical business system, and other sensitive computerized systems”
Site Security Plan (SSP)
RBPS No. 8 (continued):
─ Two primary cyber goals:
Prevent attacks on cyber systems that could cause
economic or strategic damage
Prevent the use of a cyber system to attack the facility,
its processes, or its materials
─ RBPS 8 addresses various categories of activities, including:
Security policy, access control, personnel security,
training, monitoring and incident response, disaster
recovery and business continuity, system development and acquisition, configuration management, audits
Site Security Plan (SSP)
The chemical security program has a significant
site-specific (physical) focus, which will include site inspections. However, cyber security differs from physical security in important ways:
─ Cyber experts, equipment, data, etc. may be off-site
─ Cyber functions may be performed by in-house or contracted third parties
─ Backup data may be often stored off-site and by separately owned companies
Recognizing those factors, DHS has indicated it may
conduct cyber inspections at headquarters in addition to physical inspections at the plant.
Chemical-terrorism Vulnerability
Information (CVI)
CVI includes SVAs, SSPs, audit and
inspection documents, top-screen
submissions, and other information
CVI is accessible only by persons who:
─ are authorized, based on completing CVI training and complying with any background check or
other identification DHS may require; and ─ have a need to know the information
Chemical-terrorism Vulnerability
Information (CVI)
Special rules govern CVI access, storage,
transmission, and destruction, including:
─ Transmission only to and from covered persons ─ Document marking and identification
─ Encrypted e-mail / no personal e-mail (such as gmail)
─ Overwriting / degaussing of electronic storage media
References
Dept. of Homeland Security Appropriations Act of 2007,
§ 550, 120 Stat. 1355, 1388 (Oct. 4, 2006).
6 C.F.R. Part 27
Proposed Rule, 71 Fed. Reg. 78,276 (Dec. 28, 2006) Interim Final Rule, 72 Fed. Reg. 17,688 (Apr. 9, 2007) Final Rule, 72 Fed. Reg. 65,396 (Nov. 20, 2007)
Critical Infrastructure: Chemical Security (DHS web page):
http://www.dhs.gov/xprevprot/programs/gc_1169501486179.shtm
Chemical Security Assessment Tool - Frequently Asked
