|
Chemical Security Quarterly - Winter 2023 |
|
CISA Chemical Security Conducts 10,000th Compliance Inspection
In January 2023, CISA Chemical Security conducted its 10,000th Compliance Inspection under the Chemical Facility Anti-Terrorism Standards (CFATS) regulatory program. CISA Chemical Security Inspectors (CSIs) conduct recurring Compliance Inspections at all high-risk chemical facilities to ensure that facilities are fully implementing the existing and planned security measures described in a facility’s approved security plan. The milestone is a testament to the dedication of our regional personnel who carry out these inspections, compliance personnel, and our strong relationships with industry. CSIs enhance the chemical security of our nation. In reflecting on this milestone, Associate Director (AD) Kelly Murray noted “not only is the number of compliance inspections truly remarkable, but also the innovation and efficiencies that we have achieved along the way,” adding that “we now have new levels of data both to report on the success of the CFATS program through inspections and the ability for increased information sharing with our industry stakeholders.”
Microsoft has publicly announced that effective January 10, 2023, they will no longer be offering support for systems running Windows 8.1. So, what does this mean for you? You will still be able to use Windows 8.1 after January 10; however, you will no longer be able to get technical support of any issues, software updates, or security updates or fixes. This may put your systems at risk for viruses and malware. Microsoft recommends either upgrading your devices to a new version of Windows that is still supported (Windows 10 or higher) or moving to new PCs capable of running Windows 11.
Additional information can be found on the Microsoft End of Support for Windows 8.1 webpage.
|
|
2023 Cyber Hygiene Reminders and Best Practices
Cybersecurity is a critical part of chemical security, regardless of your facility’s size. This is a great time to conduct an inventory of your facility’s security posture, including the cybersecurity measures and cyber hygiene practices already in place. Cyber hygiene refers to the activities a facility has in place to maintain system health and online safety. It is critical to protect systems and networks against the ever-increasing sophistication of cyber threats and nation-states.
Whether you are a large facility dealing with a labyrinth of information technology (IT) and operational technology (OT), or a small shop placing orders online, there are things you can (and should) do to secure your facility’s assets:
1. Use strong passwords and multi-factor authentication (MFA)
Passwords protect critical information from nefarious actors. Risk-Based Performance Standard (RBPS) 8 – Cyber requires high-risk chemical facilities to implement password management as part of their Access Control security measures.
Implementing multi-factor authentication (MFA) adds an additional layer to your user account authentication, making it more difficult for outsiders to access your corporate data, while providing you with an option to fulfill this important RBPS 8 requirement.
CISA has additional tools to help you on your MFA journey!
2. Train your employees on cybersecurity
Did you know that social engineering (including phishing email scams) remains the primary entryway for cybercriminals into corporate networks? Your facility’s cyber training is not only your first line of defense—it is also a requirement under the CFATS RBPS 8 - Cyber.
Common cybersecurity training topics include how to stay cyber safe while working remotely, how to spot phishing emails, how to handle corporate data being discussed on social media and understanding the hazards of clicking links from unfamiliar senders.
3. Ensure all software and hardware systems helping run your facility are patched and up to date
We all know the risks of cybercriminals gaining a foothold into our environments and accessing corporate information. Although phishing remains the most frequent avenue for criminals attempting to access your network, software vulnerabilities provide the next best opportunity. Installing software updates and patches regularly can help protect your networks from unnecessary attacks. Chemical security inspectors will ask about your patch management program the next time they are on site.
In today’s digital environment, something as simple as joining the local coffee shop’s Wi-Fi on a vulnerable or unpatched system can spell disaster for your facility. Did you know that CISA also provides a no-cost vulnerability scanning service?
4. Review your organization’s security documentation and examine annual priorities
Security teams should review and evaluate existing information security policies for relevance or practicality in the face of new threats, recent changes in business operations, or new infrastructure investments. Questions to consider during the review can include:
- Does your incident response plan speak specifically to your facility’s OT and consist of updated points of contact ready to handle the tactics, techniques, and procedures (TTPs) specific to industrial threat groups?
- Are you planning tabletop exercises this year to ensure the security team’s documentation is fit for the purpose?
These questions and others should be evaluated and assessed at least annually and aligned with your facility’s leadership goals and priorities to help protect your organization. Annual evaluations also provide an opportunity for facilities to make updates to their Site Security Plans (SSPs) in the event your new facility’s priorities have changed your security team's ongoing operations.
While you’re at it, check out the available services provided by CISA to help you make the most out of your 2023 security program planning and priorities.
1993 Bombing of the World Trade Center Commemoration Presentation
On the afternoon of February 26, 1993, a group of Sunni violent extremists, including some that trained in al-Qaida camps on the Afghanistan-Pakistan border, detonated a Vehicle-Borne Improvised Explosive Device (VBIED) in the parking garage of the World Trade Center (WTC) in New York City, NY. The VBIED included over 1,000 pounds of urea-nitrate explosives, homemade dynamite, and hydrogen gas cylinders. The blast damaged seven levels of the North Tower, killed six people, injured more than 1,000, and caused approximately $500 million in structural damage. This incident is a reminder of the importance of securing explosive precursor chemicals and the need for awareness and preparation.
In memory of this tragic event, please join the CISA Office for Bombing Prevention and CISA Chemical Security Office for a webinar that will discuss the 30-year commemoration of the WTC bombing. A case study of the bombing will be presented that describes the attack, followed by a discussion of bombing prevention training, tools, and resources intended to prevent future loss of life and critical infrastructure.
Who should attend?
Our target audience for this webinar series is homeland security, public safety, emergency management, and emergency response personnel.
Event Details
Monday, February 27, 2023, at 1 p.m. EST
Click here to join the webinar.
For more information or to seek additional help, contact the Emergency Services Sector Management Team.
|
|
Yesterday, CISA launched its newly revamped CISA.gov website. Over the last few months, CISA has been talking to stakeholders and getting feedback to help develop a new, user-centric design that makes our agency’s resources and tools easier to find. The new look, feel, design, and services are not only simpler to navigate, they’re also vastly improved.
In addition to organizing the site by service and tool, we have added audience-based search capabilities so individuals and partners have another way to find what they’re looking for. A new Spotlight section highlights the topics we support daily so you can see what we’re focused on and stay up-to-the minute on timely, trending issues. On our News and Events page, you’ll see what we’ve said and done in the past, and where we’ll be in the future.
Importantly, the new website also reflects our One CISA philosophy. For example, CISA.gov now includes all the information from the former US-CERT website. All that operational content—the alerts and advisories—is still there, now consolidated so you can find it more quickly. Resources and tools are no longer separated by program, but are now listed in a filterable system on our Resources & Tools page, making it easier to find exactly what you need with just a few simple clicks.
If you had bookmarks to any of the CFATS or ChemLock webpages on the previous website, those bookmarks should still work. We highly encourage you to update all bookmarks, including links to individual documents. If for any reason you need help finding a new link, please don’t hesitate to contact us at CFATS@hq.dhs.gov.
This has been a long-awaited project, and CISA is excited to finally share it with our partners and the public. For a quick tour of the new web features, take a look at our launch video. And please help us spread the word by sharing our new site with your partners as well.
|
ChemLock Service Spotlight: Assessments
CISA’s ChemLock program is a completely voluntary program that provides facilities that possess dangerous chemicals with no-cost services and tools to help them better understand the risks they face and improve their chemical security posture in a way that works for their business model.
Using CISA’s extensive knowledge of chemical security best practices, CISA chemical security personnel under the ChemLock program can provide virtual or on-site assistance and assessments. These ChemLock services help facilities identify the specific security risks their on-site chemicals present and offer scalable, tailored suggestions for security measures that will best enhance your site’s security posture based on your unique circumstances and business model.
CISA’s ChemLock on-site assessments and assistance can help you assess the risk of dangerous chemicals at your facility and then develop security plans that address those risks. These services include:
-
Security Awareness Consultation: CISA experts work with your facility to identify potentially dangerous chemicals and the security risks that those chemicals may pose.
-
Security Posture Assessment: CISA experts work with your facility to assess your current security posture and identify security enhancements tailored to your facility’s unique circumstances and needs.
-
Security Planning Visit: CISA experts work your facility to develop or update a security plan based on ChemLock: Secure Your Chemicals that is both appropriate to your facility’s specific security concerns and drives actionable, cost-effective improvements in your chemical security posture.
To request any CISA on-site assessment and assistance service, please fill out the ChemLock Services Request Form.
For more information or questions, please email ChemLock@cisa.dhs.gov.
NOTE: Participation in any portion of CISA’s ChemLock program does not replace any reporting or compliance requirements under CISA’s Chemical Facility Anti-Terrorism Standards (CFATS) regulation (6 CFR part 27). Some ChemLock activities may fulfill CFATS requirements, depending on your specific security plan. Contact local CISA Chemical Security personnel or visit the CFATS webpage to learn more about CFATS regulatory requirements.
Upcoming ChemLock Trainings
CISA’s ChemLock program offers live, on-demand training to assist owners, operators, facility personnel, and retailers with understanding the threats that chemicals pose and what security measures can be put into place to reduce the risk of dangerous chemicals being weaponized. To request a special offering of ChemLock training courses for your facility or organization, please fill out the ChemLock Services Request Form.
In addition to training specifically requested by an organization, CISA provides the ChemLock: Introduction to Chemical Security training course on a quarterly basis on a first-come, first-serve basis.
Additionally, CISA provides the ChemLock: Secure Your Chemicals Security Planning training course on a quarterly basis on a first-come, first-serve basis. This course can also be specifically requested by an organization via the ChemLock Services Request Form.
|
CFATS Program Statistics
To date, CISA has received more than 107,000 Top -Screen submissions from more than 44,000 facilities. Currently, 3,246 of these facilities are high-risk. Additionally, the program has completed 4,637 Authorization Inspections, 10,121 Compliance Inspections, and 10,427 Compliance Assistance Visits.
View these and other statistics on the CFATS Monthly Statistics webpage, which is updated at the beginning of each month.
CISA Chemical Security continues to provide new and updated resources for the entire chemical security community.
CFATS Resources
We are committed to helping facility personnel understand and comply with CFATS. If you have any questions, reach out to our team of CFATS experts at cfats@hq.dhs.gov.
Request a CFATS Presentation to learn about the program—from submitting a Top-Screen to editing a security plan.
Request a Compliance Assistance Visit to learn how to prepare for CFATS-related inspections.
Meet your local Chemical Security Inspector (CSI) to develop partnerships and for assistance. Contact your CSI by emailing cfats@hq.dhs.gov.
Call the Chemical Security Assessment Tool (CSAT) Help Desk for technical support on the CSAT Portal or CFATS-related applications. Call 1-866-323-2957 Monday-Friday 8:30am to 5:00pm ET, or email CSAT@hq.dhs.gov.
ChemLock Resources
CISA’s ChemLock publications are no-cost, publicly available guidance documents, templates, fact sheets, and toolkits to help facilities enhance the cyber and physical security surrounding their chemicals.
To request CISA ChemLock services or tools, please fill out the ChemLock Services Request Form.
For more information or questions, please email ChemLock@cisa.dhs.gov.
|
|
|
|
|
